Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1298
Views
0
Helpful
5
Replies

CMS TURN process certificate chain issues

Stephen Carr
Level 1
Level 1

‎10-10-2017 11:07 AM - edited ‎03-18-2019 01:31 PM

So, it looks like the CMS TURN server process doesn't hand out the CA bundle the same way as the web process. We are running into issue with our security auditor as they are saying we don't have a "legal" cert bundle for our TURN process on port 3478. Thing is, we are using the same cert bundle for our web process on 443 and that process is passing the auditing tests.When I run a SSL Shopper scan to try and see what is going on it shows a weird chain being handed out where it shows CMS Cert-> CA cert -> Inter Cert->Inter Cert again ->CA cert again (whereas the web process shows the correct chain of CMS cert->Inter Cert ->CA cert). Looks like a bug to me. Now, the TURN functionality seems to work as the clients probably just ignore this stuff but I need this fixed to pass our security audit. Any ideas (I've tried messing with the bundle all sorts of ways to no avail)?

Steve

0 Helpful
5 Replies 5

Stephen Carr
Level 1
Level 1

‎10-10-2017 03:23 PM

just to add some detail. If I remove the cert bundle from the TURN install and just use the key and file then I get only CMS cert->CA cert-> Inter cert

so clearly there is something built into the TURN process that does this backwards (based on what is present for the web process?). So, the bundle adds the right order chain but only after it tries the wrong order chain.

Steve

0 Helpful

Zoltan Kelemen
Cisco Employee
Cisco Employee
In response to Stephen Carr

‎10-11-2017 05:27 AM

Hi Stephen,

 

what do you have in your cert file? (pki inspect <filename> )
It looks like you may have several certificates in one file.

 

Cheers,
  Zoltan

0 Helpful

Stephen Carr
Level 1
Level 1
In response to Zoltan Kelemen

‎10-11-2017 07:47 AM

thanks for the response. The bundle cert file just has the two certs needed (the Intermediate and the CA). Again, it works fine on the webbridge process (port 443) with the exact same bundle file so it seems like the TURN process just does it incorrectly

Steve

0 Helpful

Stephen Carr
Level 1
Level 1
In response to Stephen Carr

‎10-12-2017 09:02 AM

hmm, anyone willing to check their own cert chain results on port 3478 through a resource like SSL Shopper (if you have a publicly accessible TURN server) to see if you get the same or different results from checking port 443? I'm just trying to identify if it is an issue with Comodo certs or if it is an issue with CMS.

Steve

0 Helpful

Stephen Carr
Level 1
Level 1
In response to Stephen Carr

‎12-11-2017 02:56 PM - edited ‎12-11-2017 02:58 PM

So, after digging through this issue on and off for a while and waiting through an update to 2.2.8 I believe there is a bug in the CMS code for providing the certificate chain correctly from the TURN service on port 3478. With the exact same cert and CA bundle installed on port 443 and 3478, port 443 (webbridge) hands out the cert chain correctly for certs that have AIA chaining (that have multiple paths through intermediate certs to old CAs and newer ones like Comodo) but the TURN process does not (it hands the CA root first and then loops backwards through the chain and then forwards which runs afoul of security scanning services for audits).

Does this need to be entered as a TAC case? I'm looking for guidance on how best to get this fixed.

thanks

Steve

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents