1 / 17

EDCS - 11528243 JAN 01 2017

Cisco Unity Connection Minimum TLS Version Support. EDCS - 11528243 JAN 01 2017. Notice

shirsch
Download Presentation

EDCS - 11528243 JAN 01 2017

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cisco Unity ConnectionMinimum TLS Version Support EDCS -11528243JAN 01 2017

  2. Notice The information in this presentation is provided under Non-Disclosure agreement and should be treated as Cisco Confidential. Under no circumstances is this information to be shared further without the express consent of Cisco. Any roadmap item is subject to change at the sole discretion of Cisco, and Cisco will have no liability for delay in the delivery or failure to deliver any of the products or features set forth in this document.

  3. Abbreviations • CLI – Command Line Interface • CUC – Cisco Unity Connection • TLS – Transport Layer Security

  4. Agenda • Introduction • What’s New • Configuration • Demo • Troubleshooting Tips • References

  5. Introduction

  6. Introduction • Cisco Collaboration Products use TLSv1.0, transport layer encryption for signaling and client server communication which is no longer considered as secure. • Hence Products are required to support TLSv1.2 and restrict TLS negotiation over a less secure encryption version (e.g., TLSv1.0) • Example: If a browser on TLSv1.0 tries to connect to a server that’s supports TLSv1.2, then browser will not be able to establish connection with the server

  7. What's New • CUC already supports TLSv1.0, TLSv1.1,TLSv1.2 . However, there was no way to restrict TLS negotiations to a minimum TLS version. • Release 12.0 onwards, System Administrator can configure minimum TLS version. It can be configured via admin CLI command, • admin: set tls min-version <tlsminVersion> • Once “minimum TLS version” is set, all negotiations will happens only if peer supports • Configured TLS version • Or, Higher version • This is applicable for inbound interfaces supported by CUC. For list of all supported Interfaces, refer “IP Communications Required by Cisco Unity Connection” Chapter of “Security Guide for Cisco Unity Connection Release 12.x “ available at Chapter • https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/11x/security/b_12xcucsecx/b_12xcucsecx_chapter_00.html

  8. Configuration

  9. Configuring Minimum TLS version • To configure minimum TLS version, use below CLI • admin: set tls min-version <tlsminVersion> • Where value for ‘tlsminVersion’ can either be 1.0 or 1.1 or 1.2 • Example: set tls min-version 1.1 • Note: On Cluster, above CLI MUST be executed on both nodes explicitly

  10. Demo

  11. Scenario 1:Connect Server (TLSv1.2) with any browser on TLSv1.2 • Set TLS version as “TLSv1.2” in CUC, reboot the system • Check TLS version with CLI, • admin: show tlsmin-version • Connect any browser (TLSv1.2) to server • Wireshark Snapshot : Handshaking is successful

  12. Scenario 2:Connect Server (TLSv1.1) with any browser on TLSv1.0 • Set TLS version as “TLSv1.1” in CUC, reboot the system • Check TLS version with CLI, • admin: show tlsmin-version • Connect any browser (TLSv1.0) to server . Below error can be seen in Internet Explorer. • Wireshark Snapshot : Handshaking failed

  13. Troubleshooting Tips

  14. Troubleshooting Problem Statement 1: If any secure connection fails after setting Minimum TLS version, which was working earlier Action Required: • Check if the peer supports TLS version greater than or equal to configured minimum TLS value • To verify on CUC, use CLI show tlsmin-version Annotated Logs Wiki:Annotated diagnostics for Minimum TLS Configuration

  15. References • Security Guide For Cisco Unity Connection 12.0 (1) https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/connection/12x/security/b_12xcucsecx.html • CLI Reference Guide for Cisco Unified Communications Solutions: http://www.cisco.com/c/en/us/support/unified-communications/ unified-communications-manager-callmanager/products-maintenance-guides-list.html

  16. Supported Interfaces

More Related