Per my understanding, being on CUCM 8+ implies security-by-default is in use and your phone is going to get an ITL file and thus request signed config files:<div><br></div><div><a href="https://supportforums.cisco.com/docs/DOC-17679">https://supportforums.cisco.com/docs/DOC-17679</a><br>
<div><p>Security By Default provides these three functions for supported IP
Phones:</p>
<ol>
<li>Default authentication of TFTP downloaded files (configuration, locale,
ringlist, etc) using a signing key.
</li><li>Optional encryption of TFTP configuration files using a signing key.
</li><li>Certificate verification for phone initiated HTTPS connections using a
remote certificate trust store on Communications Manager (Trust Verification
Service).</li></ol><div><br></div><div class="gmail_quote">On Mon, May 21, 2012 at 4:28 PM, Ovidiu Popa <span dir="ltr"><<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
My understanding is that ITL is required for several reasons:<br>
- used to store the trusted certificates required for the TLS
session to the TVS web service (not related to cluster mixed mode as
https web services can be activated even if the cluster is unsecure)<br>
- used to validate file signatures (only if the cluster is in mixed
mode)<br>
<br>
If this is correct I think it is normal that I have an ITL file but
my question still stands: how come the phone requests a signed file
if the cluster not secure ?<br>
<br>
Thanks,<br>
Ovidiu<div><div class="h5"><br>
<br>
<br>
<br>
On 21/May/12 8:03 PM, Ed Leatherman wrote:
<blockquote type="cite">Hello,
<div><br>
</div>
<div>My understanding is that the phone requests a CTL or ITL file
when it boots. If it ever actually gets a CTL or ITL file, from
that point on it will always request a signed configuration
file, unless the CTL or ITL files are manually deleted from the
phone. If i'm incorrect hopefully someone will chime in :)</div>
<div><br>
</div>
<div>Ed<br>
<br>
<div class="gmail_quote">On Mon, May 21, 2012 at 1:12 PM, Ovidiu
Popa <span dir="ltr"><<a href="mailto:ovi.popa@gmail.com" target="_blank">ovi.popa@gmail.com</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>Hello everyone </div>
<div><br>
</div>
<div>Anyone know how a phone detects if it needs to download
a signed or unsigned configuration file? </div>
<div><br>
</div>
<div>I have a few phones that keep requesting signed file
even though the cluster is not in mixed mode and I cannot
identify why they behave this way. Does the ITL file
contain information about the cluster security mode? </div>
<div><br>
</div>
<div>The phone logs say that the TFTP server is secure and
keep trying for the cnf.xml.sgn files. Where does it get
this information?</div>
<div><br>
</div>
<div>Thank for any input.</div>
<div><br>
</div>
<div>
Regards.</div>
<span><font color="#888888">
<div>Ovidiu</div>
</font></span><br>
_______________________________________________<br>
cisco-voip mailing list<br>
<a href="mailto:cisco-voip@puck.nether.net" target="_blank">cisco-voip@puck.nether.net</a><br>
<a href="https://puck.nether.net/mailman/listinfo/cisco-voip" target="_blank">https://puck.nether.net/mailman/listinfo/cisco-voip</a><br>
<br>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Ed Leatherman<br>
<br>
</div>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Ed Leatherman<br><br>
</div></div>