11-28-2024 11:16 PM
Hello Everyone,
Recently, our VAPT team identified a VAPT point in CUCM PUB and CUCM SUB. The point is that TLS Version 1.1 is a deprecated protocol.
Currently, we are using CUCM version 12.0.1.10000-10, and by default, the TLS version is showing as 1.0.
If I try the following command in CUCM PUB and SUB:
run set tls min-version 1.2
Is it possible to upgrade TLS 1.0 to 1.2? Also, are there any impacts on CUCM.
Solved! Go to Solution.
11-29-2024 06:45 AM - edited 11-29-2024 06:55 AM
Be vary careful here because this can easily break stuff. In fact, this is one topic I’d recommend pulling a partner into - and a very talented senior engineer.
You need to think through every possible TLS flow touching CUCM and ensure they all support 1.2. This topic also usually involves disabling weaker cipher suites, so that’s another consideration. One common example: 7900 series IP Phones only support 1.0. Even if you do not have them in an authenticated or encrypted registration mode they still use TLS for TVS and service URLs.
Here are a couple documentation references to get you started:
TLS 1.2 Compatibility Matrix for Cisco Collaboration Products
TLS 1.2 Configuration Overview Guide
Security Guide for Cisco Unified Communications Manager, Release 15 and SUs
PS- Version 12.0 is end of support so if something goes wrong you can’t call TAC for help. Upgrading to 15 should be a higher priority.
12-01-2024 04:30 AM
If your security team is really concerned about the security of the applications, I would suggest upgrading CUCM version 12.0 to the latest. Many high vulnerabilities have been reported in older versions, and the 12.0 version you are using reached EOL last year. Upgrading to the latest version should be a priority over enabling TLS.
Enabling TLS 1.2 can cause issues @Jonathan Schulenberg mentioned with some phone services if your environment has older phones like the mentioned 7900 series.
11-29-2024 06:45 AM - edited 11-29-2024 06:55 AM
Be vary careful here because this can easily break stuff. In fact, this is one topic I’d recommend pulling a partner into - and a very talented senior engineer.
You need to think through every possible TLS flow touching CUCM and ensure they all support 1.2. This topic also usually involves disabling weaker cipher suites, so that’s another consideration. One common example: 7900 series IP Phones only support 1.0. Even if you do not have them in an authenticated or encrypted registration mode they still use TLS for TVS and service URLs.
Here are a couple documentation references to get you started:
TLS 1.2 Compatibility Matrix for Cisco Collaboration Products
TLS 1.2 Configuration Overview Guide
Security Guide for Cisco Unified Communications Manager, Release 15 and SUs
PS- Version 12.0 is end of support so if something goes wrong you can’t call TAC for help. Upgrading to 15 should be a higher priority.
12-02-2024 01:17 AM
Dear @Jonathan Schulenberg ,
Thank you so much for providing amazing information.
12-01-2024 04:30 AM
If your security team is really concerned about the security of the applications, I would suggest upgrading CUCM version 12.0 to the latest. Many high vulnerabilities have been reported in older versions, and the 12.0 version you are using reached EOL last year. Upgrading to the latest version should be a priority over enabling TLS.
Enabling TLS 1.2 can cause issues @Jonathan Schulenberg mentioned with some phone services if your environment has older phones like the mentioned 7900 series.
12-02-2024 01:18 AM
Dear @Nithin Eluvathingal ,
Thank you so much for providing great information.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide