04-11-2023 03:33 AM
Hi
After vapt test on cucm found "SSL Medium Strength Cipher Suites Supported "
How can I fix this issue
cucm version 11.5
Thanks
04-11-2023 04:38 AM
11.5 doesn't have the option, to define custom cipher suites.
You can only check here: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/11_5_1_SU11/cucm_b_security-guide-115SU11/cucm_b_security-guide-1151su3_chapter_0101.html#task_7BBFEB8E183C1521B8357787B043E2C3
If you want to define cipher suites, upgrade to 12.5 or later
04-11-2023 08:23 AM
CUCM 11.5 does have the TLS Ciphers Enterprise Parameter although it only applies to the SIP interfaces of CUCM - not HTTPS, SSH, etc. Also, a general word of caution here: be very careful when you start turning older TLS versions or ciphers off if you have anything end of sale in your environment. For example, the 7900 series of IP Phones do not support TLS 1.2. It's surprisingly easy to break stuff on this topic. Cisco is quick to point out that it's the customer's responsibility to qualify what may be required in their environment. I'm not aware of a giant matrix that says "if you have product X you must leave TLS version Y or cipher suite(s) Z enabled."
05-03-2023 10:51 PM - edited 05-03-2023 10:54 PM
Hi,
If I apply to the sip interface , what services are impacted . I have multiple sip trunk and sip phones
You said " cipher suite only applicable to sip not the https "
But I can see the https , please advise
Thanks
05-03-2023 11:06 PM - edited 05-03-2023 11:08 PM
Every service that uses SIP as signalling protocol is impacted, if you change the SIP ciphers^^
HTTPS ciphers are for services, which use a web based communication.
But this only comes into play, if you use encrypted signalling. If all your communication is unencrypted, it doesn't matter what you configure there.
05-03-2023 11:48 PM
Hi,
How to verify all the communication encrypted or unencrypted , for example security profile assigned to any device trunk .
05-03-2023 11:52 PM
Check if the cluster is in mixed-mode. If not, then you cannot use encryption and therefore everything is unencrypted.
HTTP communication can still be used with encryption, doesn't matter if mixed-mode is enabled or not. But you have to know what communicates encrypted or not. You are the admin of the system and IMHO you should know that.
05-04-2023 12:18 AM - edited 05-04-2023 12:18 AM
Hi,
Cluster mode is insecure , I have cup expressway c and e and unity . My doubt If I change tls mode to 1.2 the communication might break .
You are right I should know ,I am an accidental administrator
here is my one of the security profile
All my sip profile also non secure
Thanks
05-04-2023 12:30 AM
I thought you just wanna change the TLS ciphers and not the TLS version itself?
There is a cisco doc on how and where the change the TLS version on UC servers: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-Configuration-Overview-Guide.html
Again: if the cluster is not in mixed-mode, you cannot use call signalling encryption (secure sccp, sip, ...). Then you cannot change the encryption mode in the phone and sip trunk security profile.
Between CUCM and Exp-C there is no secure communication per default. Doesn't matter if you have MRA or B2B calling in place.
05-04-2023 01:21 AM
Hi,
I changed in my test environment . before changing on the production I just want to confirm that it wont affect (beacuse I am not in mixed mode ) any other service expect the web service (admin portal )
Thanks
05-04-2023 01:27 AM
In general: If you change the ciphers or the TLS version, you also have to look at all the other systems (phones, 3rd parties, sip trunks, web-applications connecting to CUCM, ...) connected to CUCM, if they support the same version or ciphers. This is not something, which only is needed to be checked on CUCM alone.
For HTTP ciphers / version, you need to keep in mind, that phones use HTTP/HTTPS for CUCM phone services like directory, EM, ... So if you change them, the phones also need to support those ciphers / version. You need to check the cisco docs for that.
05-04-2023 02:10 AM
Hi,
Thanks a million . I have one more question related with the same subject .
weak algorithm found in ssh
SSH Weak Key Exchange Algorithms Enabled
SSH Server CBC Mode Ciphers Enabled
Please advise
05-04-2023 02:18 AM
I don't find anything in a quick internet search to change the SSH ciphers in 11.5
But in 12.5 you definitly have the opportunity to change them: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU3/cucm_b_security_guide_1251SU3/cucm_m_cipher-management_reorg.html#reference_68972012B0460E00571F79B1735FC5E9
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide