cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
682
Views
0
Helpful
4
Replies
Highlighted
Beginner

ILS TLS certificates - Verification error:26

I am trying to setup ILS to use just TLS authentication, however I am not able to get it working. Below is the error I see in SDL logs on the Hub publisher. Is there a specific 'Key Usage' that the server is looking for in the certificates? 

00000091.000 |12:17:31.563 |AppInfo |SdlSSLTCPListener::verify_cb pre-verified=0,cert verification errno=26,depth=0
00000092.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000093.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed for 10.82.67.168:36092
00000094.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - Certificate verification failed:(Verification error:26)- unsupported certificate purpose for 10.82.67.168:36092
00000095.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=internal error [68]),lib=SSL routines [20],fun=SSL_clear [164], errno=0 for 10.82.67.168:36092
00000096.000 |12:17:31.563 |AppInfo |[1, 600, 17, 1]: HandleSSLError - TLS protocol error(ssl reason code=unknown state [255]),lib=SSL routines [20],fun=ssl3_accept [128], errno=0 for 10.82.67.168:36092

Just password authentication works. Certificates are internal CA signed and exchanged between the servers. CUCM Ver 11.5.1.12900-21.

4 REPLIES 4
Highlighted
Hall of Fame Cisco Employee

What key usage and enhanced key usage does this certificate has?

HTH

java

if this helps, please rate
Highlighted

Below are those values from the spoke's certificate

X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Server
Netscape Comment:
OpenSSL Generated Server Certificate
X509v3 Subject Key Identifier:
14:CB:67:DB:06:2A:E4:64:9D:75:D4:24:9A:37:10:F9:4B:3A:7C:BC
X509v3 Authority Key Identifier:
keyid:29:1C:A3:1E:B5:84:A5:45:74:48:CC:17:D4:3A:05:A4:C5:26:27:23
DirName:<Removed>

X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
X509v3 Subject Alternative Name:
DNS:<Removed>

Highlighted

I have the same issue.

The SIP trunk from cluster B connects fine but that from cluster A does not.

Cluster B is a single CUCM server with Microsoft CA signed Callmanager certificate

Cluster A is multiserver with MultiSAN Callmanager certificate.

CUCM Ver 11.5.1.12900-21.

Highlighted

Make sure that you CA Certificate Template is having the following KU and EKU

Key Usage

Digital Signature, Key Encipherment, Data Encipherment, Key Agreement (b8)

EKU

Server Authentication (1.3.6.1.5.5.7.3.1)
Client Authentication (1.3.6.1.5.5.7.3.2)
IP security end system (1.3.6.1.5.5.7.3.5)