Cisco Unity Connection Minimum TLS Version Support EDCS - 11528243 JAN 01 2017
Notice The information in this presentation is provided under Non-Disclosure agreement and should be treated as Cisco Confidential. Under no circumstances is this information to be shared further without the express consent of Cisco. Any roadmap item is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.
Abbreviations CLI – Command Line Interface CUC – Cisco Unity Connection TLS – Transport Layer Security
Agenda Introduction What’s New Configuration Demo Troubleshooting Tips References
Introduction
Introduction Cisco Collaboration Products use TLSv1.0, transport layer encryption for signaling and client server communication which is no longer considered as secure. Hence Products are required to support TLSv1.2 and restrict TLS negotiation over a less secure encryption version (e.g., TLSv1.0) Example: If a browser on TLSv1.0 tries to connect to a server that’s supports TLSv1.2, then browser will not be able to establish connection with the server
What's New CUC already supports TLSv1.0, TLSv1.1,TLSv1.2 . However, there was no way to restrict TLS negotiations to a minimum TLS version. Release 12.0 onwards, System Administrator can configure minimum TLS version. It can be configured via admin CLI command, admin: set tls min-version <tls minVersion> Once “minimum TLS version” is set, all negotiations will happens only if peer supports Configured TLS version Or, Higher version This is applicable for inbound interfaces supported by CUC. For list of all supported Interfaces, refer “IP Communications Required by Cisco Unity Connection” Chapter of “Security Guide for Cisco Unity Connection Release 12.x “ available at Chapter https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_12xcucsecx/b_12xcucsecx_chapter_00.html
Configuration
Configuring Minimum TLS version To configure minimum TLS version, use below CLI admin: set tls min-version <tls minVersion> Where value for ‘tls minVersion’ can either be 1.0 or 1.1 or 1.2 Example: set tls min-version 1.1 Note: On Cluster, above CLI MUST be executed on both nodes explicitly
Demo
Scenario 1:Connect Server (TLSv1.2) with any browser on TLSv1.2 Set TLS version as “TLSv1.2” in CUC, reboot the system Check TLS version with CLI, admin: show tls min-version Connect any browser (TLSv1.2) to server Wireshark Snapshot : Handshaking is successful
Scenario 2:Connect Server (TLSv1.1) with any browser on TLSv1.0 Set TLS version as “TLSv1.1” in CUC, reboot the system Check TLS version with CLI, admin: show tls min-version Connect any browser (TLSv1.0) to server . Below error can be seen in Internet Explorer. Wireshark Snapshot : Handshaking failed
Troubleshooting Tips
Troubleshooting Annotated Logs Problem Statement 1: If any secure connection fails after setting Minimum TLS version, which was working earlier Action Required: Check if the peer supports TLS version greater than or equal to configured minimum TLS value To verify on CUC, use CLI show tls min-version Annotated Logs Wiki: Annotated diagnostics for Minimum TLS Configuration
References Security Guide For Cisco Unity Connection 12.0 (1) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/12x/sec urity/b_12xcucsecx.html CLI Reference Guide for Cisco Unified Communications Solutions: http://www.cisco.com/c/en/us/support/unified-communications/ unified- communications-manager-callmanager/products-maintenance-guides- list.html
Supported Interfaces Interface Port Remarks Tomcat 8443,443,8444 Both client and administrative workstations connect to these ports. Supported browsers are Internet Explorer (IE), Mozilla, Chrome Jetty 7443 Notifications of changes to Unity Connection voice messages. Such Interfaces are Single Inbox, Jabber. IMAP 143,993 IMAP Clients such as Outlook make connection with Unity SMTP 25 SMTP Clients such as Thunderbird make connection with Unity SIP 5061-5199 Unity Connection SIP Control Traffic handled by conversation manager. Supported clients such as Call Manager. LDAP 636 LDAP is such outbound interface, which is honoring TLS version changed at unity connection.