Some customers of mine with Linux environments connect to the CCMAdmin pages with the EC certs. It's definitely a good idea to get those signed.
On Tue, Sep 3, 2019 at 11:06 PM Tim Smith <[email protected]> wrote: > Is it time to start getting our EC certs signed as well? > > > > > > *From: *cisco-voip <[email protected]> on behalf of " > [email protected]" <[email protected]> > *Reply to: *"Ryan Ratliff (rratliff)" <[email protected]> > *Date: *Wednesday, 4 September 2019 at 1:02 pm > *To: *Anthony Holloway <[email protected]>, " > [email protected]" <[email protected]> > *Subject: *Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs > > > > TCP/6972 is hosted by the TFTP service specifically for secure download of > configuration files and firmware (HTTPS using the Callmanager-EC cert) by > endpoints. It’s using EC because only endpoints that support strong > encryption will use support HTTPS downloads via TFTP. > > TCP/6970 is for the same as HTTP > > TCP/6971 is for the same as HTTPS using the Tomcat certificate (for Jabber) > > > None of these are intended to be used by your browser, though it works > perfectly well for testing and troubleshooting. > > > > Ryan Ratliff > > Manager, Cisco Cloud Collaboration TAC > > Standard Business Hours: 8:00AM-5:00PM EDT > Email: [email protected] > > Office: +1 919-476-2081 > > Mobile: +1-919-225-0448 > > Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209 > > > > *From: *cisco-voip <[email protected]> on behalf of > Anthony Holloway <[email protected]> > *Date: *Tuesday, September 3, 2019 at 10:03 PM > *To: *cisco-voip list <[email protected]> > *Subject: *[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs > > > > So, I just ran into something interesting where someone else took care of > the certs for a CUCM I now have access to, and while the main CCMAdmin > pages load fine in my browser with a full chain of trust, the 6972 page(s) > are being delivered as EC certs, which were not signed, and thus, I get a > warning in my browser. > > > > Now, I have other CUCM deployments under my belt where the Tomcat RSA > certs are signed and EC not, because the default setting for CUCM is to not > use EC certs until you tell it to. These deployments still present the RSA > cert to me for 6972. > > > > The only difference is the SU6 part. > > > > I couldn't find anything in the release notes nor in the bug search, and > so I'm wondering if any of you know what might be happening. > > > > I tried toggling the HTTP Ciphers from RSA only to All and back again, but > that didn't work. > > > > I tried re-uploading the RSA cert chain, starting from root, and then back > through the 2 intermediates (yes, three layers deep, it's a public CA > chain). > > > > I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted the > cluster, and I'm just at a loss. It's not that big of a deal, it just > bothers me that I don't know why it's doing this. > _______________________________________________ > cisco-voip mailing list > [email protected] > https://puck.nether.net/mailman/listinfo/cisco-voip >
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
