Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
1707
Views
0
Helpful
4
Replies

ILS TLS certificates - Verification error:26

sheepate
Level 1
Level 1

‎03-30-2017 05:33 AM - edited ‎03-17-2019 09:56 AM

I am trying to setup ILS to use just TLS authentication, however I am not able to get it working. Below is the error I see in SDL logs on the Hub publisher. Is there a specific 'Key Usage' that the server is looking for in the certificates? 

00000091.000 |12:17:31.563 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=0,cert verification errno=26,depth=0
00000092.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000093.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed for 10.82.67.168:36092
00000094.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000095.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=internal error [68]),lib=SSL routines [20],fun=SSL_clear [164], errno=0 for 10.82.67.168:36092
00000096.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=unknown state [255]),lib=SSL routines [20],fun=ssl3_accept [128], errno=0 for 10.82.67.168:36092

Just password authentication works. Certificates are internal CA signed and exchanged between the servers. CUCM Ver 11.5.1.12900-21.

Labels:
0 Helpful
4 Replies 4

Jaime Valencia
Cisco Employee
Cisco Employee

‎03-30-2017 06:59 AM

What key usage and enhanced key usage does this certificate has?

HTH

java

if this helps, please rate
0 Helpful

sheepate
Level 1
Level 1
In response to Jaime Valencia

‎03-30-2017 07:06 AM

Below are those values from the spoke's certificate

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
14:CB:67:DB:06:2A:E4:64:9D:75:D4:24:9A:37:10:F9:4B:3A:7C:BC
X509v3 Authority Key Identifier:
keyid:29:1C:A3:1E:B5:84:A5:45:74:48:CC:17:D4:3A:05:A4:C5:26:27:23
DirName:<Removed>

X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<Removed>

0 Helpful

paulonwude
Level 1
Level 1
In response to sheepate

‎05-07-2017 06:53 AM

I have the same issue.

The SIP trunk from cluster B connects fine but that from cluster A does not.

Cluster B is a single CUCM server with Microsoft CA signed Callmanager certificate

Cluster A is multiserver with MultiSAN Callmanager certificate.

CUCM Ver 11.5.1.12900-21.

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to paulonwude

‎05-07-2017 10:20 PM

Make sure that you CA Certificate Template is having the following KU and EKU

Key Usage

Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

EKU

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
IP security end system (1.3.6.1.5.5.7.3.5)

0 Helpful
Customers Also Viewed These Support Documents
Top