CUCM 11.5 does have the TLS Ciphers Enterprise Parameter although it only applies to the SIP interfaces of CUCM - not HTTPS, SSH, etc. Also, a general word of caution here: be very careful when you start turning older TLS versions or ciphers off if you have anything end of sale in your environment. For example, the 7900 series of IP Phones do not support TLS 1.2. It's surprisingly easy to break stuff on this topic. Cisco is quick to point out that it's the customer's responsibility to qualify what may be required in their environment. I'm not aware of a giant matrix that says "if you have product X you must leave TLS version Y or cipher suite(s) Z enabled."

Hi,

If I apply to the sip interface , what services are impacted . I have multiple sip trunk  and sip phones 

You said " cipher suite only applicable to sip not the  https " 

But I can see the https , please advise 

Thanks 

Every service that uses SIP as signalling protocol is impacted, if you change the SIP ciphers^^
HTTPS ciphers are for services, which use a web based communication.

But this only comes into play, if you use encrypted signalling. If all your communication is unencrypted, it doesn't matter what you configure there.

Hi,

How to verify all the communication encrypted or unencrypted , for example security profile assigned to any device trunk .

Check if the cluster is in mixed-mode. If not, then you cannot use encryption and therefore everything is unencrypted.
HTTP communication can still be used with encryption, doesn't matter if mixed-mode is enabled or not. But you have to know what communicates encrypted or not. You are the admin of the system and IMHO you should know that.

Hi,

Cluster mode is insecure  , I have cup expressway c and e  and unity . My doubt If I change  tls mode to  1.2  the communication might break .  

You are right I should know  ,I am an accidental administrator  . 

here is my one of the security profile 

All my sip profile also non secure 

Thanks

I thought you just wanna change the TLS ciphers and not the TLS version itself?
There is a cisco doc on how and where the change the TLS version on UC servers: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/TLS/TLS-1-2-Configuration-Overview-Guide.html

Again: if the cluster is not in mixed-mode, you cannot use call signalling encryption (secure sccp, sip, ...). Then you cannot change the encryption mode in the phone and sip trunk security profile.
Between CUCM and Exp-C there is no secure communication per default. Doesn't matter if you have MRA or B2B calling in place.

Hi,

I changed in my test environment . before changing on the production I just want to confirm that it wont affect (beacuse I am not in mixed mode )  any other service expect the  web service (admin portal ) 

Thanks

In general: If you change the ciphers or the TLS version, you also have to look at all the other systems (phones, 3rd parties, sip trunks, web-applications connecting to CUCM, ...) connected to CUCM, if they support the same version or ciphers. This is not something, which only is needed to be checked on CUCM alone.

For HTTP ciphers / version, you need to keep in mind, that phones use HTTP/HTTPS for CUCM phone services like directory, EM, ... So if you change them, the phones also need to support those ciphers / version. You need to check the cisco docs for that.

Hi,

Thanks a million . I have one more question related with the same subject .

weak algorithm found in ssh 

SSH Weak Key Exchange Algorithms Enabled
SSH Server CBC Mode Ciphers Enabled

Please advise 

I don't find anything in a quick internet search to change the SSH ciphers in 11.5
But in 12.5 you definitly have the opportunity to change them: https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/security/12_5_1SU3/cucm_b_security_guide_1251SU3/cucm_m_cipher-management_reorg.html#reference_68972012B0460E00571F79B1735FC5E9