<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 14 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0in;
mso-margin-bottom-alt:auto;
margin-left:0in;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
span.EmailStyle18
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
/* List Definitions */
@list l0
{mso-list-id:1586374955;
mso-list-template-ids:894330162;}
ol
{margin-bottom:0in;}
ul
{margin-bottom:0in;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-US link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>There is the Pre-8.0 Rollback Service Parameter that disables ITL but you need it set before phones see the upgraded CallManager. So any upgrade you need to shutdown phones first I suspect.<o:p></o:p></span></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0in 0in 0in'><p class=MsoNormal><b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> cisco-voip-bounces@puck.nether.net [mailto:cisco-voip-bounces@puck.nether.net] <b>On Behalf Of </b>Ed Leatherman<br><b>Sent:</b> Monday, May 21, 2012 4:35 PM<br><b>To:</b> Ovidiu Popa<br><b>Cc:</b> cisco-voip<br><b>Subject:</b> Re: [cisco-voip] cnf.xml.sgn for non-secure cluster?<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><br><br>Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:<o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><a href="https://supportforums.cisco.com/docs/DOC-17679">https://supportforums.cisco.com/docs/DOC-17679</a><o:p></o:p></p><div><p>Security By Default provides these three functions for supported IP Phones:<o:p></o:p></p><ol start=1 type=1><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Default authentication of TFTP downloaded files (configuration, locale, ringlist, etc) using a signing key. <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Optional encryption of TFTP configuration files using a signing key. <o:p></o:p></li><li class=MsoNormal style='mso-margin-top-alt:auto;mso-margin-bottom-alt:auto;mso-list:l0 level1 lfo1'>Certificate verification for phone initiated HTTPS connections using a remote certificate trust store on Communications Manager (Trust Verification Service).<o:p></o:p></li></ol><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>My understanding is that ITL is required for several reasons:<br>- used to store the trusted certificates required for the TLS session to the TVS web service (not related to cluster mixed mode as https web services can be activated even if the cluster is unsecure)<br>- used to validate file signatures (only if the cluster is in mixed mode)<br><br>If this is correct I think it is normal that I have an ITL file but my question still stands: how come the phone requests a signed file if the cluster not secure ?<br><br>Thanks,<br>Ovidiu<o:p></o:p></p><div><div><p class=MsoNormal><br><br><br><br>On 21/May/12 8:03 PM, Ed Leatherman wrote: <o:p></o:p></p><p class=MsoNormal>Hello, <o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>My understanding is that the phone requests a CTL or ITL file when it boots. If it ever actually gets a CTL or ITL file, from that point on it will always request a signed configuration file, unless the CTL or ITL files are manually deleted from the phone. If i'm incorrect hopefully someone will chime in :)<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal style='margin-bottom:12.0pt'>Ed<o:p></o:p></p><div><p class=MsoNormal>On Mon, May 21, 2012 at 1:12 PM, Ovidiu Popa <<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>> wrote:<o:p></o:p></p><div><p class=MsoNormal>Hello everyone <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Anyone know how a phone detects if it needs to download a signed or unsigned configuration file? <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>I have a few phones that keep requesting signed file even though the cluster is not in mixed mode and I cannot identify why they behave this way. Does the ITL file contain information about the cluster security mode? <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>The phone logs say that the TFTP server is secure and keep trying for the cnf.xml.sgn files. Where does it get this information?<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Thank for any input.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Regards.<o:p></o:p></p></div><div><p class=MsoNormal><span style='color:#888888'>Ovidiu<o:p></o:p></span></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><br>_______________________________________________<br>cisco-voip mailing list<br><a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br><a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><o:p></o:p></p></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>-- <br>Ed Leatherman<o:p></o:p></p></div><p class=MsoNormal><o:p> </o:p></p></div></div></div></div><p class=MsoNormal><br><br clear=all><o:p></o:p></p><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'>-- <br>Ed Leatherman<o:p></o:p></p></div></div><p class=MsoNormal><br><br><span style='color:white'>itevomcid</span> <o:p></o:p></p></div></body></html>