Your are right, I think we

wgarro · ‎07-01-2016

In reference to caveat CSCuj42438. Customer faced issue accessing UC websites while using IE 11.

error seen in the browser:

SSL_ERROR_WEAK_SERVER_EPHEMERAL_DH_KEY

The caveat indicates:

##############################################

Symptom:
Cisco Prime Infrastructure supports Weak SSL/TLS Ciphers.

Conditions:
Default configuration.

Workaround:
Following workaround could be used for Firefox:
====================

In address bar enter about:config
Use the search pane and search for security .ssl3.dhe_rsa_aes
Double click security .ssl3.dhe_rsa_aes_128_sha and set its value to false,

Further Problem Description:

PSIRT Evaluation:
The Cisco PSIRT has evaluated this issue and does not meet the criteria for PSIRT ownership or involvement. This issue will be addressed via
normal resolution channels.

If you believe that there is new information that would cause a change in the severity of this issue, please contact psirt@cisco.com for another
evaluation.

Additional information on Cisco's security vulnerability policy can be found at the following URL:

http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html

##############################################

This information rules out IE and other Browsers.

On the other hand, the browser requirements for versions 9.x, 10.x and 11.x indicate IE 11 is not supported, see below:

You can access Cisco Unified CM Administration, Cisco Unified Serviceability, Cisco Unified Reporting, Cisco Unified Communications Operating System Administration, and Disaster Recovery System by using the browsers and operating systems listed in the following table. Cisco does not support or test other browsers.

Table 1 Supported Browsers and Operating Systems

You can access Cisco Unified Communications Manager with this browser...

...if you use one of these operating systems

Microsoft Internet Explorer 8

*   Microsoft Windows XP SP3
*   Microsoft Windows Vista SP2 (or latest service pack available)
*   Microsoft Windows 7 (32-bit) (with latest service pack available)

Mozilla Firefox 3.x or 4.x (if available)

*   Microsoft Windows XP SP3
*   Microsoft Windows Vista SP2 (or latest service pack available)
*   Microsoft Windows 7 (32-bit) (latest service pack available)
*   Apple Mac OS X (latest service pack available)

Safari 4.x or 5.x (if available)

Apple Mac OS X (or newest OS release available)

See links:

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/9_1_1/CUCM_BK_I05CD008_00_installing-cucm-91/CUCM_BK_I05CD008_00_installing-cucm-91_chapter_01.html

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/10_0_1/CUCM_BK_I95AD2FE_00_installing-cucm-100/CUCM_BK_I95AD2FE_00_installing-cucm-100_chapter_010.html

http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/install/11_0_1/CUCM_BK_IDF93684_00_installing-cucm_1101/Installation_planning.html

Result:

This information rules IE 11 and leaves no room for support to address the encryption issue.

Workaround:

Customer found out the following article that help him solve the encryption warning with IE 11.

https://support.microsoft.com/en-us/kb/3061518

Note:

It is important to notice the article addresses the encryption warning issue and does not necessary imply support of IE 11 for other functionalities while driving through the UC website.

PETER MARTLAND · ‎08-11-2016

Do we know of a fix for this it is affecting more and more cisco platforms?

The workaround works, but do I need to raise a tac case for a fix.

wgarro · ‎08-11-2016

Your are right, I think we will need to. I see an increment in the cases and customers feeling the workaround

https://support.microsoft.com/en-us/kb/3061518 weakens the security of IE 11

We know not all UC versions support it, but those that supported seem being affected by the latest security updates of IE. So the statement of IE 11 support is not enough for this security update from MS.

I currently have a case where the customer is looking for an official statement from Cisco about it.

CSCuj42438 and IE 11