Hello, Martin! Thanks for your answer!

Yes, I convert the certificate exactly with openssl, as it described in "Cisco_VCS_Certificate_Creation_and_Use_Deployment_Guide"

openssl pkcs12 -in cert_inf.pfx -out cert_inf.pem

Also, I find in google, that there is an -nodes openssl key, that point openssl to don`t encrypt private key when export to .pem

but, I did not do this, I follow instructions in documentation.

I recheck all of the IP/DNS/Certificate settings many and many times.

Apparently, this is an openssl and VCS X6.1 bug, as you said.

How can I workaround this?

Thanks for help!

Hi!

You can use for example an other linux box which supports the RC2 cipher which the .pfx file uses.

In general its a VCS limitation not a openssl bug, its just that the installed version of openssl does not support RC2

If you do not have any linux machine with openssl, you can get yourself a linux cd and run it

in a virtualization enviroment on your computer: http://www.ubuntu.com/download/ubuntu/download

Recent debian / ubuntu distibutions worked fine for me.

Please vote answeres.

Ciphers on X6.1

Cipher commands (see the `enc' command for more details)

aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc

aes-256-ecb    base64         bf             bf-cbc         bf-cfb

bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc

cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc

des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb

des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb

des-ofb        des3           desx           rc4            rc4-40

And here on a ubuntu system:

Cipher commands (see the `enc' command for more details)
aes-128-cbc    aes-128-ecb    aes-192-cbc    aes-192-ecb    aes-256-cbc
aes-256-ecb    base64         bf             bf-cbc         bf-cfb
bf-ecb         bf-ofb         cast           cast-cbc       cast5-cbc
cast5-cfb      cast5-ecb      cast5-ofb      des            des-cbc
des-cfb        des-ecb        des-ede        des-ede-cbc    des-ede-cfb
des-ede-ofb    des-ede3       des-ede3-cbc   des-ede3-cfb   des-ede3-ofb
des-ofb        des3           desx           rc2            rc2-40-cbc
rc2-64-cbc     rc2-cbc        rc2-cfb        rc2-ecb        rc2-ofb
rc4            rc4-40

Martin, i think, you have not understood me.

I generated PFX certificates chain with private key exported on my own microsoft CA,

then I convert PFX to PEMs with openssl on HP-UX machine, as it described in documentation.

Also, I find this: http://www.codesalot.com/2011/openssl-in-x6-0/

Now I try to completely generate certificate for VCS with openssl on HP-UX

And yesterday I find this article
http://blogs.msdn.com/b/scottos/archive/2009/04/03/resolved-ocs-2007-r2-pic-fails-against-aol.aspx

Your previous answer and this got me thinking

May be, I should to arrange chipers on my Lync server in correct order?

I don`t now necessary order to make it work...

And yet I read somewhere, that "bad packet length" in TLS negotiation may mean that one of the parties does not understand zero-length packets

Hi Evgeniy,

i'm triyng to setup TLS between MS Lync and VCS. at this point i have a Microsoft CA, and i did exported root ca and imported into VCS ok. Now as far as i know, now i need to request VCS Certificates to Microsoft CA, but i have a problem with it, im not able to create a certificate able to include as subject name and alternate subject name the cluster fqdn and vcs's fqdn, and im not able either to export the certificate, can you tellme how can it be done?

thanks.

Hello!

What exactly you cannot do?

Actions may differ depending on policy of your Microsoft CA.

Usually you should start mmc.exe, then Add/remove snap in - Certificates - computer account

Go to Personal - Certificates

Right Click - All tasks - advanced task - create advanced certificate request.

Next - Next - select cert template, for example, "Web Server" - Next - expand "details" - properties, there enter all the information - Common Name, subject alternate names, and select "Make private key exportable" on "Private key" tab, "Server authentication,client authentication" on Extended - extended key usage

Then, you can export cert and private key into pfx (when cert will be enrolled by ca)

Hi,

now it is working, i had to enable the export for the private key on the CA, and enable the adition of alternate names as well, now is working,

thanks,

I also had something in my mind if I once red something related to the OS,

but anyhow if I see it right Lync (and I think OCS R2) have to be on 64 bit Servers,

so it must be 2008R2-64.

I found some article regarding a service pack on win xp causing some tls connection

with the same errorr.

Did you change anything regarding the default on your CA?

Could you try the openssl from ubuntu instead of the one from HPUX, maybe it behaves different.

If not this other linux box might be used to debug with openssl a bit further, ....

Besides that, try to follow the guides, ....

Maybe somebody else had seen the:

     Event="Outbound TLS Negotiation Error", Detail="bad packet length"

and can give you a hint if its a common problem with a known fix, ...

Martin

Martin, thank you for your answer!

Of course, OS is 64 bit. In other way Linc and OCS does not installs.

I'll try to use openssl on ordinary Linux and explain the results.

I searched over the internet, but does not found that someone else encountered this issue.

I think that I one puzzled this problem ...

Can you post a tcpdump of the TLS negoiation? Speciffically need to see the client hello that is sent from the VCS.

OK the VCS should be offering 34 suites not 16.

Copy your release key and options keys to a safe place.

Copy your root ca, private key, and client certificate to a safe place

Make sure you have physical access to the VCS as you'll have to re-enter the IP from the front panel

This procedure will wipe the config from the VCS so make note of any settings you may need to rebuild the config

From telnet or ssh login as admin.

Enter the command xcommand defaultvaluesset level: 3

Enter the command xcommand defaultlinksadd

Enter the command xcommand boot

When the VCS reboots re-enter the IP on the front panel

After the reboot login to the web interface as admin

Re-add your release keys and options keys

Install VCS x6.1 even if the box is already running x6.1

After the reboot you'll have a clean VCS

Check on the alarms that you'll be seeing, follow the instructions for each to clear them.

You can then start to reconfigure the box.

Ryan, how VCS resetting may affect on number of chipers that VCS offers now?