cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1374
Views
0
Helpful
4
Replies

ILS TLS certificates - Verification error:26

sheepate
Level 1
Level 1

I am trying to setup ILS to use just TLS authentication, however I am not able to get it working. Below is the error I see in SDL logs on the Hub publisher. Is there a specific 'Key Usage' that the server is looking for in the certificates? 

00000091.000 |12:17:31.563 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=0,cert verification errno=26,depth=0
00000092.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000093.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed for 10.82.67.168:36092
00000094.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000095.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=internal error [68]),lib=SSL routines [20],fun=SSL_clear [164], errno=0 for 10.82.67.168:36092
00000096.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=unknown state [255]),lib=SSL routines [20],fun=ssl3_accept [128], errno=0 for 10.82.67.168:36092

Just password authentication works. Certificates are internal CA signed and exchanged between the servers. CUCM Ver 11.5.1.12900-21.

4 Replies 4

Jaime Valencia
Cisco Employee
Cisco Employee

What key usage and enhanced key usage does this certificate has?

HTH

java

if this helps, please rate

Below are those values from the spoke's certificate

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
14:CB:67:DB:06:2A:E4:64:9D:75:D4:24:9A:37:10:F9:4B:3A:7C:BC
X509v3 Authority Key Identifier:
keyid:29:1C:A3:1E:B5:84:A5:45:74:48:CC:17:D4:3A:05:A4:C5:26:27:23
DirName:<Removed>

X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<Removed>

I have the same issue.

The SIP trunk from cluster B connects fine but that from cluster A does not.

Cluster B is a single CUCM server with Microsoft CA signed Callmanager certificate

Cluster A is multiserver with MultiSAN Callmanager certificate.

CUCM Ver 11.5.1.12900-21.

Make sure that you CA Certificate Template is having the following KU and EKU

Key Usage

Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

EKU

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
IP security end system (1.3.6.1.5.5.7.3.5)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: