Re: disable tls 1.0 and 1.1

elite2010 · ‎12-12-2023

Hi,

I want to enable support for TLS 1.2 and/or 1.3 and disable support for TLS 1.1. If not possible, at least disable TLS 1.0. The CUCM version is 11.5. Phone models include 7906, 7911, and 6901. All security profiles are set to non-secure

Thanks

b.winter · ‎12-12-2023

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-Configuration-Overview-Guide.html

But you should first check, if your phones support TLS 1.2 or higher. If not, you cannot disable it on CUCM just like that. And since your phones are EoL anyways, you should start by replacing them with 78xx or 88xx phones.

elite2010 · ‎12-12-2023

Hi

"But you should first check, if your phones support TLS 1.2 or higher"

Since all phone security profile and trunk security profile are set to non-secure , does it matter ?

Thanks

Roger Kallberg · ‎12-12-2023

Yes it matters. Otherwise @b.winter would not have mentioned it. For example the phones uses it to get the configuration from the CM, but also for other things.

b.winter · ‎12-12-2023

As @Roger Kallberg said, it does matter. There is more communication, than secure SIP / SCCP and sRTP. Just think about the directory services (personal, directory phone book, ...).
If you are sure, that the phones communicate completely unsecure, you can disable TLS 1.1 or lower. But nobody can give you a general yes or no, because this always depends on the individual environment and the configuration.