Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2597
Views
30
Helpful
5
Replies

CUBE TLS problem third party SBC

Go to solution
mmoulson1
Level 4
Level 4

‎02-24-2021 02:54 AM

We are trying to setup a SIP trunk between a CUBE and a third party SBC using TLS and self signed certs.

 

I am following this guide:

https://www.cisco.com/c/en/us/support/docs/unified-communications/unified-border-element/212090-Configure-SIP-TLS-between-CUCM-CUBE-CUBE.pdf

 

There really is not much to the config from the CUBE side. When running the debugs mentioned in the above I get a couple of errors:

TLS 1.2 Alert [length 0002], fatal handshake_failure

SSL routines:ssl3_get_client_hello:no shared cipher

 

As a test I setup TLS on another spare CUBE and created a trunk between the two and that works fine so the issue has to be the way the third party SBC and the CUBE are trying to setup TLS.

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
mmoulson1
Level 4
Level 4

‎02-24-2021 05:47 AM

Looks like the "no shared cipher" is exactly the issues:

pcap cipher suites.png

The hello from the third party to the CUBE on the left vs the right CUBE to the third party.

 

They done have a cipher that matches.

 

Is there anyway to change to config on the CUBE to it offers a specific cipher? TLS_RSA_WITH_AES_128_GCM_SHA256 obviously.

View solution in original post

0 Helpful
5 Replies 5

Go to solution
mmoulson1
Level 4
Level 4

‎02-24-2021 05:47 AM

Looks like the "no shared cipher" is exactly the issues:

pcap cipher suites.png

The hello from the third party to the CUBE on the left vs the right CUBE to the third party.

 

They done have a cipher that matches.

 

Is there anyway to change to config on the CUBE to it offers a specific cipher? TLS_RSA_WITH_AES_128_GCM_SHA256 obviously.

0 Helpful

Go to solution
Scott Leport
Level 7
Level 7
In response to mmoulson1

‎02-25-2021 12:01 PM

Hi,

 

Does this link help? See the options for the crypto signaling default command under the sip-ua:

 

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.html

 

 

Go to solution
Gregory Brunn
Spotlight
Spotlight
In response to Scott Leport

‎02-25-2021 12:27 PM

I was about to send the same one..

https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/voice/cube/configuration/cube-book/voi-cube-sip-tls.html


Prior to release Cisco IOS15.6(1)T, CUBE supported TLS v1.0 with the following cipher suites:

SSL_RSA_WITH_RC4_128_MD5

TLS_RSA_WITH_AES_128_CBC_SHA

CUBE supports only the mandatory cipher suites for TLS implementation. From Cisco IOS15.6(1)T release onwards, CUBE supports TLS v1.2 which is backward compatible. Following are the cipher suites added:

TLS_DHE_RSA_WITH_AES_128_CBC_SHA1

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384

Following cipher suites are added in the Cisco IOS XE Amsterdam 17.3.1a release:

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Go to solution
Gregory Brunn
Spotlight
Spotlight
In response to Gregory Brunn

‎02-25-2021 12:30 PM

Can you ask the other side to add additional ciphers in why are they set on just that one?

0 Helpful

Go to solution
mmoulson1
Level 4
Level 4
In response to Gregory Brunn

‎03-19-2021 04:11 AM

We did reach out to the third party and they have patched their software to offer additional ciphers.

0 Helpful
Customers Also Viewed These Support Documents