03-30-2017 05:33 AM - edited 03-17-2019 09:56 AM
I am trying to setup ILS to use just TLS authentication, however I am not able to get it working. Below is the error I see in SDL logs on the Hub publisher. Is there a specific 'Key Usage' that the server is looking for in the certificates?
00000091.000 |12:17:31.563 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=0,cert verification errno=26,depth=0
00000092.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000093.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed for 10.82.67.168:36092
00000094.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000095.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=internal error [68]),lib=SSL routines [20],fun=SSL_clear [164], errno=0 for 10.82.67.168:36092
00000096.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=unknown state [255]),lib=SSL routines [20],fun=ssl3_accept [128], errno=0 for 10.82.67.168:36092
Just password authentication works. Certificates are internal CA signed and exchanged between the servers. CUCM Ver 11.5.1.12900-21.
03-30-2017 06:59 AM
What key usage and enhanced key usage does this certificate has?
03-30-2017 07:06 AM
Below are those values from the spoke's certificate
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
14:CB:67:DB:06:2A:E4:64:9D:75:D4:24:9A:37:10:F9:4B:3A:7C:BC
X509v3 Authority Key Identifier:
keyid:29:1C:A3:1E:B5:84:A5:45:74:48:CC:17:D4:3A:05:A4:C5:26:27:23
DirName:<Removed>
X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<Removed>
05-07-2017 06:53 AM
I have the same issue.
The SIP trunk from cluster B connects fine but that from cluster A does not.
Cluster B is a single CUCM server with Microsoft CA signed Callmanager certificate
Cluster A is multiserver with MultiSAN Callmanager certificate.
CUCM Ver 11.5.1.12900-21.
05-07-2017 10:20 PM
Make sure that you CA Certificate Template is having the following KU and EKU
Key Usage
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)
EKU
Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
IP security end system (1.3.6.1.5.5.7.3.5)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide