07-01-2016 02:08 PM - edited 03-19-2019 11:19 AM
In reference to caveat CSCuj42438. Customer faced issue accessing UC websites while using IE 11.
error seen in the browser:
SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY
The caveat indicates:
##############################################
Symptom:
Cisco Prime Infrastructure supports Weak SSL/TLS Ciphers.
Conditions:
Default configuration.
Workaround:
Following workaround could be used for Firefox:
====================
In address bar enter about:config
Use the search pane and search for security .ssl3.dhe_rsa_aes
Double click security .ssl3.dhe_rsa_aes_128_sha and set its value to false,
Further Problem Description:
PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.
If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.
Additional information on Cisco's security vulnerability policy can be found at the following URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
##############################################
This information rules out IE and other Browsers.
On the other hand, the browser requirements for versions 9.x, 10.x and 11.x indicate IE 11 is not supported, see below:
You can access Cisco Unified CM Administration, Cisco Unified Serviceability, Cisco Unified Reporting, Cisco Unified Communications Operating System Administration, and Disaster Recovery System by using the browsers and operating systems listed in the following table. Cisco does not support or test other browsers.
Table 1 Supported Browsers and Operating Systems
You can access Cisco Unified Communications Manager with this browser...
...if you use one of these operating systems
Microsoft Internet Explorer 8
* Microsoft Windows XP SP3
* Microsoft Windows Vista SP2 (or latest service pack available)
* Microsoft Windows 7 (32-bit) (with latest service pack available)
Mozilla Firefox 3.x or 4.x (if available)
* Microsoft Windows XP SP3
* Microsoft Windows Vista SP2 (or latest service pack available)
* Microsoft Windows 7 (32-bit) (latest service pack available)
* Apple Mac OS X (latest service pack available)
Safari 4.x or 5.x (if available)
Apple Mac OS X (or newest OS release available)
See links:
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/9_1_1/CUCM_BK_I05CD008_00_installing-cucm-91/CUCM_BK_I05CD008_00_installing-cucm-91_chapter_01.html
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/10_0_1/CUCM_BK_I95AD2FE_00_installing-cucm-100/CUCM_BK_I95AD2FE_00_installing-cucm-100_chapter_010.html
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/11_0_1/CUCM_BK_IDF93684_00_installing-cucm_1101/Installation_planning.html
Result:
This information rules IE 11 and leaves no room for support to address the encryption issue.
Workaround:
Customer found out the following article that help him solve the encryption warning with IE 11.
https://support.microsoft.com/en-us/kb/3061518
Note:
It is important to notice the article addresses the encryption warning issue and does not necessary imply support of IE 11 for other functionalities while driving through the UC website.
08-11-2016 07:27 AM
Do we know of a fix for this it is affecting more and more cisco platforms?
The workaround works, but do I need to raise a tac case for a fix.
08-11-2016 07:35 AM
Your are right, I think we will need to. I see an increment in the cases and customers feeling the workaround
https://support.microsoft.com/en-us/kb/3061518 weakens the security of IE 11
We know not all UC versions support it, but those that supported seem being affected by the latest security updates of IE. So the statement of IE 11 support is not enough for this security update from MS.
I currently have a case where the customer is looking for an official statement from Cisco about it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide