Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation

Who Me Too'd this topic

Problem wit TLS & sRTP between IOS GW and CUCM

Young Chan Lee
Level 1
Level 1

‎04-04-2013 07:22 PM - edited ‎03-16-2019 04:37 PM

Hello Expert.

I have problem with TLS & sRTP between IOS GW and CUCM

I use selfsign certifacation on C3945 and upload to CUCM (Callmanager.trust)

And download callmanager.pem and insert to C3945

I make a call receive error like bottom.

plz help me!

thanks!

- GW Model : Cisco 3945

- Version : c3900-universalk9-mz.SPA.152-4.M2.bin

- CUCM version : 9.1.1

1. GW Debuggin

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake:

Created a child process 118 for TLS handshake

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake:

Socket: 0 handed off to child socket 0

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_initiate_handshake:

SIPSCTX passed to the child process 118

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc:

child proc: Local socket fd 0

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc:

Associated socket 0 in child proc

Apr  5 02:01:22.587: opssl_SetPKIInfo entry

Apr  5 02:01:22.587: opssl_SetPKIInfo done.

Apr  5 02:01:22.587: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc:

Entering HANDSHAKE sip_ctx 0x163ADCBC p_index 3

Apr  5 02:01:22.587: Handshake start: before/accept initialization

Apr  5 02:01:22.587: SSL_accept:before/accept initialization

Apr  5 02:01:22.591: <<< TLS 1.0 Handshake [length 0035], ClientHello

Apr  5 02:01:22.591:     01 00 00 31 03 01 51 5E 30 72 D4 D8 06 2F E1 26

Apr  5 02:01:22.591:     8A 61 8D 12 27 BA E9 DD 3C 2E 94 36 C8 A4 55 45

Apr  5 02:01:22.591:     0E 0D 04 F3 53 B9 00 00 04 00 2F 00 FF 01 00 00

Apr  5 02:01:22.591:     04 00 23 00 00

Apr  5 02:01:22.591:

Apr  5 02:01:22.591: SSL_accept:SSLv3 read client hello A

Apr  5 02:01:22.591: >>> TLS 1.0 Handshake [length 0051], ServerHello

Apr  5 02:01:22.591:     02 00 00 4D 03 01 51 5E 30 72 2C 8A A7 81 B2 6B

Apr  5 02:01:22.591:     7B 57 77 5D E3 EA FA 37 EF 1A 99 B7 A0 4D 78 F5

Apr  5 02:01:22.591:     6F 63 A5 40 73 6A 20 A8 94 85 EA 46 71 06 6C 9F

Apr  5 02:01:22.591:     59 9C DB 35 81 A2 96 A8 DA 3B 5C 7A 11 2A 1F 92

Apr  5 02:01:22.591:     83 9B 84 9F DC 13 95 00 2F 00 00 05 FF 01 00 01

Apr  5 02:01:22.591:     00

Apr  5 02:01:22.591:

Apr  5 02:01:22.591: SSL_accept:SSLv3 write server hello A

Apr  5 02:01:22.591: >>> TLS 1.0 Handshake [length 01F9], Certificate

Apr  5 02:01:22.591:     0B 00 01 F5 00 01 F2 00 01 EF 30 82 01 EB 30 82

Apr  5 02:01:22.591:     01 54 A0 03 02 01 02 02 01 01 30 0D 06 09 2A 86

Apr  5 02:01:22.591:     48 86 F7 0D 01 01 05 05 00 30 11 31 0F 30 0D 06

Apr  5 02:01:22.591:     03 55 04 03 13 06 53 49 50 2D 47 57 30 1E 17 0D

Apr  5 02:01:22.591:     31 33 30 34 30 35 30 31 32 31 32 37 5A 17 0D 32

Apr  5 02:01:22.591:     30 30 31 30 31 30 30 30 30 30 30 5A 30 11 31 0F

Apr  5 02:01:22.591:     30 0D 06 03 55 04 03 13 06 53 49 50 2D 47 57 30

Apr  5 02:01:22.591:     81 9F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 01 05

Apr  5 02:01:22.591:     00 03 81 8D 00 30 81 89 02 81 81 00 E6 19 84 D3

Apr  5 02:01:22.591:     7D 79 66 C8 F9 80 10 D4 66 F3 4E B8 E1 7A 55 CD

Apr  5 02:01:22.591:     38 D8 B9 2F BA 3D 35 71 4C AB AD 65 BC B3 75 8F

Apr  5 02:01:22.591:     F2 50 2C 1B 4F 8B 0C 3B 49 B9 52 58 65 06 9D 57

Apr  5 02:01:22.591:     79 0B 1F 67 56 45 38 10 B0 E9 63 F4 A3 C4 B2 5C

Apr  5 02:01:22.591:     4C 30 14 09 B8 F2 4E 44 31 00 A5 08 7F C2 7F 28

Apr  5 02:01:22.591:     37 5C 77 17 21 93 A1 79 86 E3 9C 3C 50 6F 3F 84

Apr  5 02:01:22.591:     01 CC 20 9E 58 1F 20 AD 4C F3 52 66 BC E8 C5 93

Apr  5 02:01:22.591:     4E FF 9C 60 53 4D 31 85 E5 96 C9 FF 02 03 01 00

Apr  5 02:01:22.591:     01 A3 53 30 51 30 0F 06 03 55 1D 13 01 01 FF 04

Apr  5 02:01:22.591:     05 30 03 01 01 FF 30 1F 06 03 55 1D 23 04 18 30

Apr  5 02:01:22.591:     16 80 14 56 01 92 60 EC AF 8A D7 D0 0B 87 D3 A0

Apr  5 02:01:22.591:     8F E0 FE 1E CE 08 DC 30 1D 06 03 55 1D 0E 04 16

Apr  5 02:01:22.591:     04 14 56 01 92 60 EC AF 8A D7 D0 0B 87 D3 A0 8F

Apr  5 02:01:22.591:     E0 FE 1E CE 08 DC 30 0D 06 09 2A 86 48 86 F7 0D

Apr  5 02:01:22.591:     01 01 05 05 00 03 81 81 00 7F 49 2B DC 53 EC EC

Apr  5 02:01:22.591:     E6 D7 71 43 34 BB EC 6C 04 C6 B5 2D 1C CA A1 6C

Apr  5 02:01:22.591:     9A 6C B6 F2 2E 6E 8E 7C 26 02 3A E1 75 E6 A8 0B

Apr  5 02:01:22.591:     03 9E 5E C6 08 91 67 1D F5 52 E8 62 F0 FD 76 FA

Apr  5 02:01:22.591:     25 DE BD 2B BB 17 B0 33 14 EB 78 96 F8 A6 A2 D3

Apr  5 02:01:22.591:     36 24 67 B8 86 6C 1B 46 59 49 97 E3 82 11 1D 24

Apr  5 02:01:22.591:     A2 FE 35 24 20 69 C6 6B 81 A6 8A EC 37 5A AF E9

Apr  5 02:01:22.591:     43 75 F4 26 77 83 00 8C C0 55 E7 B5 63 B1 D5 F7

Apr  5 02:01:22.591:     56 C9 C5 97 D5 34 11 1C 76

Apr  5 02:01:22.591:

Apr  5 02:01:22.591: SSL_accept:SSLv3 write certificate A

Apr  5 02:01:22.591: >>> TLS 1.0 Handshake [length 000C], CertificateRequest

Apr  5 02:01:22.591:     0D 00 00 04 01 01 00 00 0E 00 00 00

Apr  5 02:01:22.591:

Apr  5 02:01:22.591: SSL_accept:SSLv3 write certificate request A

Apr  5 02:01:22.591: SSL_accept:SSLv3 flush data

Apr  5 02:01:22.595: <<< TLS 1.0 Handshake [length 02B6], Certificate

Apr  5 02:01:22.595:     0B 00 02 B2 00 02 AF 00 02 AC 30 82 02 A8 30 82

Apr  5 02:01:22.595:     02 11 A0 03 02 01 02 02 10 76 DD 78 96 DC CD CF

Apr  5 02:01:22.595:     90 BB E8 E8 A2 05 E1 D1 0B 30 0D 06 09 2A 86 48

Apr  5 02:01:22.595:     86 F7 0D 01 01 05 05 00 30 66 31 0B 30 09 06 03

Apr  5 02:01:22.595:     55 04 06 13 02 4B 52 31 0F 30 0D 06 03 55 04 0A

Apr  5 02:01:22.595:     13 06 42 43 43 41 52 44 31 13 30 11 06 03 55 04

Apr  5 02:01:22.595:     0B 13 0A 43 41 4C 4C 43 45 4E 54 45 52 31 11 30

Apr  5 02:01:22.595:     0F 06 03 55 04 03 13 08 43 55 43 4D 53 55 42 32

Apr  5 02:01:22.595:     31 0E 30 0C 06 03 55 04 08 13 05 53 45 4F 55 4C

Apr  5 02:01:22.595:     31 0E 30 0C 06 03 55 04 07 13 05 53 45 4F 55 4C

Apr  5 02:01:22.595:     30 1E 17 0D 31 33 30 33 30 39 30 37 30 38 31 38

Apr  5 02:01:22.595:     5A 17 0D 31 38 30 33 30 38 30 37 30 38 31 37 5A

Apr  5 02:01:22.595:     30 66 31 0B 30 09 06 03 55 04 06 13 02 4B 52 31

Apr  5 02:01:22.595:     0F 30 0D 06 03 55 04 0A 13 06 42 43 43 41 52 44

Apr  5 02:01:22.595:     31 13 30 11 06 03 55 04 0B 13 0A 43 41 4C 4C 43

Apr  5 02:01:22.599:     45 4E 54 45 52 31 11 30 0F 06 03 55 04 03 13 08

Apr  5 02:01:22.599:     43 55 43 4D 53 55 42 32 31 0E 30 0C 06 03 55 04

Apr  5 02:01:22.599:     08 13 05 53 45 4F 55 4C 31 0E 30 0C 06 03 55 04

Apr  5 02:01:22.599:     07 13 05 53 45 4F 55 4C 30 81 9F 30 0D 06 09 2A

Apr  5 02:01:22.599:     86 48 86 F7 0D 01 01 01 05 00 03 81 8D 00 30 81

Apr  5 02:01:22.599:     89 02 81 81 00 BD F8 F5 C8 C0 D1 5D BA 8F 1D 72

Apr  5 02:01:22.599:     7A 72 53 8C 26 F5 CA 2F 71 A9 34 2C 0C 71 CB D1

Apr  5 02:01:22.599:     93 23 E6 0F BD 8F 15 A1 35 29 C8 4D A1 75 40 AC

Apr  5 02:01:22.599:     61 66 B6 76 65 B7 CE 10 85 8B 87 3D 58 BD 36 3E

Apr  5 02:01:22.599:     EE AE 60 7E 05 0D 9B 08 68 93 8C E5 D8 A1 64 52

Apr  5 02:01:22.599:     9B C1 33 FB 6B 65 BF 5F E3 56 15 77 1C 2A 75 B6

Apr  5 02:01:22.599:     31 90 0C 38 86 E1 C9 B0 4A C7 E1 A7 10 28 C8 03

Apr  5 02:01:22.599:     B6 CD F0 8D 04 9B E4 73 92 92 FB AC B2 F4 3B 9C

Apr  5 02:01:22.599:     57 98 D3 21 BD 02 03 01 00 01 A3 57 30 55 30 0B

Apr  5 02:01:22.599:     06 03 55 1D 0F 04 04 03 02 02 BC 30 27 06 03 55

Apr  5 02:01:22.599:     1D 25 04 20 30 1E 06 08 2B 06 01 05 05 07 03 01

Apr  5 02:01:22.599:     06 08 2B 06 01 05 05 07 03 02 06 08 2B 06 01 05

Apr  5 02:01:22.599:     05 07 03 05 30 1D 06 03 55 1D 0E 04 16 04 14 01

Apr  5 02:01:22.599:     59 F0 A0 56 5B 4C C9 37 C3 41 06 40 2A 06 92 EF

Apr  5 02:01:22.599:     37 EF 2F 30 0D 06 09 2A 86 48 86 F7 0D 01 01 05

Apr  5 02:01:22.599:     05 00 03 81 81 00 92 C3 E0 2B 86 8B 60 A7 DE C6

Apr  5 02:01:22.599:     40 AC 7F B8 76 72 0C 44 B1 6B FD F9 CB 60 0A AC

Apr  5 02:01:22.599:     50 32 7F A6 67 67 8C C2 82 4B 7C C5 AB 8C 8A 1A

Apr  5 02:01:22.599:     F3 0E 3F 1C 6F 84 86 D2 78 41 39 34 48 36 C2 14

Apr  5 02:01:22.599:     F8 8C BE 4D C1 99 F9 8F 3B EC 4D 39 6B 72 AF D4

Apr  5 02:01:22.599:     30 39 8F E0 B1 F1 E4 36 7B A8 39 74 8F 8C B2 D5

Apr  5 02:01:22.599:     32 6A E5 36 98 E3 06 6B 13 78 E7 4D BD 5E 11 D0

Apr  5 02:01:22.599:     CE C7 39 1B BE 0E ED 4D 7E 32 E2 EF 5F 1E 1E D8

Apr  5 02:01:22.599:     F2 AC 1E 83 EA 5C

Apr  5 02:01:22.599:

Apr  5 02:01:22.599: >>> TLS 1.0 Alert [length 0002], fatal bad_certificate

Apr  5 02:01:22.599:     02 2A

Apr  5 02:01:22.599:

Apr  5 02:01:22.599: SSL3 alert write:fatal:bad certificate

Apr  5 02:01:22.599: SSL_accept:error in SSLv3 read client certificate C

Apr  5 02:01:22.599: 0:error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_srvr.c:2668:

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Error/sip_tls_tcp_handshake_proc:

child process: -6992

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_handshake_proc:

Exiting HANDSHAKE sip_ctx 0x163ADCBC p_index 3

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure:

In sip_tcp_tls_handshake_failure

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Info/sip_tcp_tls_handshake_failure:

Server Failure: Closing child socket fd: 0

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: Socket fd: 0 closed for connid 3 with address: 130.1.14.13, remote port: 44132

Apr  5 02:01:22.599: //-1/xxxxxxxxxxxx/SIP/Info/sip_tls_tcp_purge_entry: TLS Handshake child process killed

2. GW Configuration

crypto pki trustpoint CCM-Cert

enrollment terminal

revocation-check none

!

crypto pki trustpoint CCM-SIP-1

enrollment selfsigned

serial-number none

fqdn none

subject-name CN=SIP-GW

revocation-check none

rsakeypair SIP-GW-KEY

!

!

crypto pki certificate chain CCM-Cert

certificate ca 67D4A107B26A3FA13F666AF78A613562

  308202A6 3082020F A0030201 02021067 D4A107B2 6A3FA13F 666AF78A 61356230

  0D06092A 864886F7 0D010105 05003065 310B3009 06035504 0613024B 52310F30

  0D060355 040A1306 42434341 52443113 30110603 55040B13 0A43414C 4C43454E

  54455231 10300E06 03550403 13074355 434D5055 42310E30 0C060355 04081305

  53656F75 6C310E30 0C060355 04071305 53656F75 6C301E17 0D313330 33303930

  34333430 325A170D 31383033 30383034 33343031 5A306531 0B300906 03550406

  13024B52 310F300D 06035504 0A130642 43434152 44311330 11060355 040B130A

  43414C4C 43454E54 45523110 300E0603 55040313 07435543 4D505542 310E300C

  06035504 08130553 656F756C 310E300C 06035504 07130553 656F756C 30819F30

  0D06092A 864886F7 0D010101 05000381 8D003081 89028181 00C93F1E B707E731

==================================================================

  160414F1 FD240017 BEDD5CDB 6B42EB4F B5E024A8 B8DD6630 0D06092A 864886F7

  0D010105 05000381 8100B811 DD071741 9BCF4984 F2E60418 DDE18EA1 51CB69AC

  83FC7FA3 60BFECB7 65355D29 8A101AEE C92D72F4 BD7C65A7 2C7620ED 5C9D8780

  A9CF83A2 44A8ED8F A07B80E2 D517421B D95B0D8C 3221C703 C0F3E36B BECA87E1

  2B2668CE AA9CF3D9 02DACF51 5AE34583 BF7D4495 4D32D79E 4D8C5FF0 954D963A

  B705EB3F D5FC5C02 4AB2

        quit

crypto pki certificate chain CCM-SIP-1

certificate self-signed 01

  308201EB 30820154 A0030201 02020101 300D0609 2A864886 F70D0101 05050030

  11310F30 0D060355 04031306 5349502D 4757301E 170D3133 30343035 30313231

  32375A17 0D323030 31303130 30303030 305A3011 310F300D 06035504 03130653

  49502D47 5730819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281

  8100E619 84D37D79 66C8F980 10D466F3 4EB8E17A 55CD38D8 B92FBA3D 35714CAB

  AD65BCB3 758FF250 2C1B4F8B 0C3B49B9 52586506 9D57790B 1F675645 3810B0E9

====================================================================

  551D2304 18301680 14560192 60ECAF8A D7D00B87 D3A08FE0 FE1ECE08 DC301D06

  03551D0E 04160414 56019260 ECAF8AD7 D00B87D3 A08FE0FE 1ECE08DC 300D0609

  2A864886 F70D0101 05050003 8181007F 492BDC53 ECECE6D7 714334BB EC6C04C6

  B52D1CCA A16C9A6C B6F22E6E 8E7C2602 3AE175E6 A80B039E 5EC60891 671DF552

  E862F0FD 76FA25DE BD2BBB17 B03314EB 7896F8A6 A2D33624 67B8866C 1B465949

  97E38211 1D24A2FE 35242069 C66B81A6 8AEC375A AFE94375 F4267783 008CC055

  E7B563B1 D5F756C9 C597D534 111C76

        quit

!

dial-peer voice 100 voip

description ## DNIS TO RP CUCMSUB1 ##

destination-pattern 2....$

session protocol sipv2

session target ipv4:130.1.14.12:5061

session transport tcp tls

voice-class codec 10 

dtmf-relay rtp-nte

no vad

!

sip-ua

crypto signaling remote-addr 130.x.x.0 255.255.255.0 trustpoint CCM-SIP-1 strict-cipher

!

voice service voip

srtp fallback

allow-connections h323 to h323

allow-connections h323 to sip

allow-connections sip to h323

allow-connections sip to sip

sip

  bind control source-interface Loopback0

  bind media source-interface Loopback0

  session transport tcp tls

  url sips

!

voice class codec 10

codec preference 1 g711ulaw

codec preference 2 g711alaw

!

3. CUCM Configuration

- Certificate

K-161.jpg

- SIP Security Profile

K-158.jpg

- SIP Trunk

K-160.jpg

Thanks!


4 people had this problem
Labels:
0 Helpful
Who Me Too'd this topic