cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
344
Views
6
Helpful
4
Replies

TLS Version 1.1 is a deprecated protocol VAPT in CUCM

Dipak Kadam
Level 1
Level 1

Hello Everyone,

Recently, our VAPT team identified a VAPT point in CUCM PUB and CUCM SUB. The point is that TLS Version 1.1 is a deprecated protocol.

Currently, we are using CUCM version 12.0.1.10000-10, and by default, the TLS version is showing as 1.0.

If I try the following command in CUCM PUB and SUB:

run set tls min-version 1.2

Is it possible to upgrade TLS 1.0 to 1.2? Also, are there any impacts on CUCM.

2 Accepted Solutions

Accepted Solutions

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Be vary careful here because this can easily break stuff. In fact, this is one topic I’d recommend pulling a partner into - and a very talented senior engineer.

You need to think through every possible TLS flow touching CUCM and ensure they all support 1.2. This topic also usually involves disabling weaker cipher suites, so that’s another consideration. One common example: 7900 series IP Phones only support 1.0. Even if you do not have them in an authenticated or encrypted registration mode they still use TLS for TVS and service URLs.

Here are a couple documentation references to get you started:

TLS 1.2 Compatibility Matrix for Cisco Collaboration Products 

TLS 1.2 Configuration Overview Guide 

Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 

PS- Version 12.0 is end of support so if something goes wrong you can’t call TAC for help. Upgrading to 15 should be a higher priority.

View solution in original post

If your security team is really concerned about the security of the applications, I would suggest upgrading CUCM version 12.0 to the latest. Many high vulnerabilities have been reported in older versions, and the 12.0 version you are using reached EOL last year. Upgrading to the latest version should be a priority over enabling TLS.

Enabling TLS 1.2 can cause issues @Jonathan Schulenberg  mentioned with some phone services if your environment has older phones like the mentioned 7900 series.

 



Response Signature


View solution in original post

4 Replies 4

Jonathan Schulenberg
Hall of Fame
Hall of Fame

Be vary careful here because this can easily break stuff. In fact, this is one topic I’d recommend pulling a partner into - and a very talented senior engineer.

You need to think through every possible TLS flow touching CUCM and ensure they all support 1.2. This topic also usually involves disabling weaker cipher suites, so that’s another consideration. One common example: 7900 series IP Phones only support 1.0. Even if you do not have them in an authenticated or encrypted registration mode they still use TLS for TVS and service URLs.

Here are a couple documentation references to get you started:

TLS 1.2 Compatibility Matrix for Cisco Collaboration Products 

TLS 1.2 Configuration Overview Guide 

Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 

PS- Version 12.0 is end of support so if something goes wrong you can’t call TAC for help. Upgrading to 15 should be a higher priority.

Dear @Jonathan Schulenberg ,

Thank you so much for providing amazing information.

If your security team is really concerned about the security of the applications, I would suggest upgrading CUCM version 12.0 to the latest. Many high vulnerabilities have been reported in older versions, and the 12.0 version you are using reached EOL last year. Upgrading to the latest version should be a priority over enabling TLS.

Enabling TLS 1.2 can cause issues @Jonathan Schulenberg  mentioned with some phone services if your environment has older phones like the mentioned 7900 series.

 



Response Signature


Dear @Nithin Eluvathingal  ,

Thank you so much for providing great information.