CUCM 8.x cert verification disable on Phones?

2philipp-gantert · ‎03-02-2011

Hi

I installed on CUCM 7.1.3 a Verisign Cert for Tomcat. Since my upgrade on 8.x (at the moment 8.5) I have sometimes on different phones cert problems like:

3978: ERR 14:06:05.618914 SECD: EROR:processTvsSrvrResponse: Authentication Response received with status failure
3979: NOT 14:06:05.620763 SECD: sendRespToClient: Sent the response to the TVS client, len : 2056
3980: NOT 14:06:05.622441 SECD: clpTvsInit: No pending client connection - closing the TVS server socket : 13
3981: NOT 14:06:05.623478 SECD: clpClntRd: clnt closed conn to <10.248.2.16> c:14 s:15
3982: NOT 14:06:05.624192 SECD: clpDelClnt: closing conn to <10.248.2.16>, c:14, s:15
3983: NOT 14:06:05.625885 SECD: tvsReqAuthenticateCertificate: Received the response from TVS proxy, status: 1
3984: ERR 14:06:05.627949 SECD: Authentication failed for the HTTPS conn via TVS
3985: NOT 14:06:05.628730 SECD: srvr_cert_vfy: ** srvr cert verify FAILED ** <10.248.2.16>
3986: ERR 14:06:05.629856 SECD: EROR:clpState: SSL3 alert write:fatal:handshake failure:<10.248.2.16>
3987: xxx 14:06:05.631664 SECD: clpDelClnt: Closing the local socket now

3988: ERR 14:06:05.634223 SECD: EROR:clpSetupSsl: ** SSL handshake failed, <10.248.2.16> c:10 s:9
3989: ERR 14:06:05.634995 SECD: EROR:clpSetupSsl: SSL/TLS handshake failed, <10.248.2.16> c:10 s:9
3990: ERR 14:06:05.635682 SECD: EROR:clpSetupSsl: SSL/TLS setup failed, <10.248.2.16> c:10 s:9
3991: ERR 14:06:05.636392 SECD: EROR:clpSndStatus: SSL CLNT ERR, srvr<10.248.2.16>
3992: ERR 14:06:05.637055 SECD: EROR:secErr_errStr: *** bad err table ***
3993: ERR 14:06:05.637733 SECD: EROR:secErr_errStr: ** SEC-ERR: code:3(N/A) subcode:9(UNKNOWN_CERT)
3994: ERR 14:06:05.638402 SECD: EROR:clpSndStatus: ** SEC-ERR: desc <HTTPS cert failed auth via TVS>

So far as I know: Tht TVS Service should know which certs I use (they are successfully listed under "System->Security->Certifications") and it makes possible to trust my phones to these certificats. But... you see.

Is it possible to disable the cert verification? It would be the simplest, easiest und shortes way for me.

Thx for help

PS: I know, thats not a technical solution but the easiest way

Jonathan Schulenberg · ‎03-02-2011

You cannot really disable TVS; however, your Verisign certificate for Tomcat has nothing to do with TVS. When you upgraded to 8.0 an initial TVS certificate was generated on each CUCM cluster node and added to the tvs-trust store. An ITLFile.tlv file was generated and all the phones take a leap of faith to download it after upgrading to the new firmware. This is similar to the CTLFile.tlv used with CAPF in mixed-mode environment. This contains the list of TVS certificates (generated during upgrade) the phone should trust.

Now, if the phone as an ITLFile.tlv installed which does not include the current TVS certificate installed on the cluster, you will get errors like this because the phone is not trusting the certificate presented by the TVS service. This happens most often on a phone that has been registered to a different 8.0+ cluster and got the ITLFile.tlv from there instead. After the initial download any updates to the file must be signed with the same key as present in the file the phone already has. You can erase the ITL under the phone's Security Configuration (**# to unlock). Once the file is removed the phone will again take a leap of faith to download the ITLFile.tlv from TFTP.

Tommer Catlin · ‎06-23-2011

Have you seen anyway to automate this process for the phones to revoke the ITL? Seems like if you are not running a secure cluster, why use the cert anyways...

Jonathan Schulenberg · ‎06-23-2011

I have not; however, you can still use the TVS with an otherwise non-secure cluster. The ITLFile.tlv and anything in the TVS-Trust store is entirely independant of CAPF/CTLFile.tlv. All TVS does is make HTTPS-based service URLs work.