cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
228
Views
0
Helpful
0
Replies
Highlighted
Rising star

7931G and 7965G: Will they support the switch to SHA256 under the new 12.5x CUCM releases?

Hi all,

 

We have 7931G and 7965G phones in our network. They authenticate via CAPF signed certificates (LSC) for SIP-Secure. 

At present they use SHA1 signed certificates.

 

According to this Cisco Live, both these models should support SHA2 certificates for LSC:

https://www.ciscolive.com/c/dam/r/ciscolive/us/docs/2018/pdf/BRKCOL-3501-LG.pdf 

 

"All endpoints support SHA2 signed LSCs, even those that otherwise don't support SHA2"

 

If upgrading to the new 12.5.x, the following appears under the security guide:

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1/cucm_b_security-guide-1251/cucm_b_security-guide-1251_chapter_0111.html 

 

"Beginning from Unified Communications Manager Release 11.5(1) SU1, all the LSC certificates issued by CAPF service are signed with SHA-256 algorithm. Therefore, Cisco Unified IP Phone 7900 Series, 8900 Series, and 9900 Series supports SHA-256 signed LSC certificates and external SHA2 identity certificates (Tomcat, CallManager, CAPF, TVS, and so on). For any other cryptographic operation that require validation of signature, only SHA-1 is supported."

 

Would 7931G and 7965G be supported under mixed mode within a 12.5.x cluster? If there are any caveats, could you outline them? I couldn't find a document that enumerates which encrypted services are supported for each cipher per phone model.

 

Thanks!

 

0 REPLIES 0
Content for Community-Ad