Cisco Unity Connection Minimum TLS Version Support EDCS - 11528243 JAN 01 2017

Notice The information in this presentation is provided under Non-Disclosure agreement and should be treated as Cisco Confidential. Under no circumstances is this information to be shared further without the express consent of Cisco. Any roadmap item is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.

Abbreviations CLI – Command Line Interface CUC – Cisco Unity Connection TLS – Transport Layer Security

Agenda Introduction What’s New Configuration Demo Troubleshooting Tips References

Introduction

Introduction Cisco Collaboration Products use TLSv1.0, transport layer encryption for signaling and client server communication which is no longer considered as secure. Hence Products are required to support TLSv1.2 and restrict TLS negotiation over a less secure encryption version (e.g., TLSv1.0) Example: If a browser on TLSv1.0 tries to connect to a server that’s supports TLSv1.2, then browser will not be able to establish connection with the server

What's New CUC already supports TLSv1.0, TLSv1.1,TLSv1.2 . However, there was no way to restrict TLS negotiations to a minimum TLS version. Release 12.0 onwards, System Administrator can configure minimum TLS version. It can be configured via admin CLI command, admin: set tls min-version <tls minVersion> Once “minimum TLS version” is set, all negotiations will happens only if peer supports Configured TLS version Or, Higher version This is applicable for inbound interfaces supported by CUC. For list of all supported Interfaces, refer “IP Communications Required by Cisco Unity Connection” Chapter of “Security Guide for Cisco Unity Connection Release 12.x “ available at Chapter https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_12xcucsecx/b_12xcucsecx_chapter_00.html

Configuration

Configuring Minimum TLS version To configure minimum TLS version, use below CLI admin: set tls min-version <tls minVersion> Where value for ‘tls minVersion’ can either be 1.0 or 1.1 or 1.2 Example: set tls min-version 1.1 Note: On Cluster, above CLI MUST be executed on both nodes explicitly

Demo

Scenario 1:Connect Server (TLSv1.2) with any browser on TLSv1.2 Set TLS version as “TLSv1.2” in CUC, reboot the system Check TLS version with CLI, admin: show tls min-version Connect any browser (TLSv1.2) to server Wireshark Snapshot : Handshaking is successful

Scenario 2:Connect Server (TLSv1.1) with any browser on TLSv1.0 Set TLS version as “TLSv1.1” in CUC, reboot the system Check TLS version with CLI, admin: show tls min-version Connect any browser (TLSv1.0) to server . Below error can be seen in Internet Explorer. Wireshark Snapshot : Handshaking failed

Troubleshooting Tips

Troubleshooting Annotated Logs Problem Statement 1: If any secure connection fails after setting Minimum TLS version, which was working earlier Action Required: Check if the peer supports TLS version greater than or equal to configured minimum TLS value To verify on CUC, use CLI show tls min-version Annotated Logs Wiki: Annotated diagnostics for Minimum TLS Configuration

References Security Guide For Cisco Unity Connection 12.0 (1) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/12x/sec urity/b_12xcucsecx.html CLI Reference Guide for Cisco Unified Communications Solutions: http://www.cisco.com/c/en/us/support/unified-communications/ unified- communications-manager-callmanager/products-maintenance-guides- list.html

Supported Interfaces Interface Port Remarks Tomcat 8443,443,8444 Both client and administrative workstations connect to these ports. Supported browsers are Internet Explorer (IE), Mozilla, Chrome Jetty 7443 Notifications of changes to Unity Connection voice messages. Such Interfaces are Single Inbox, Jabber. IMAP 143,993 IMAP Clients such as Outlook make connection with Unity SMTP 25 SMTP Clients such as Thunderbird make connection with Unity SIP 5061-5199 Unity Connection SIP Control Traffic handled by conversation manager. Supported clients such as Call Manager. LDAP 636 LDAP is such outbound interface, which is honoring TLS version changed at unity connection.