So Brian, you (or someone) has then changed the HTTPS Ciphers Enterprise Parameter to use EC certs then? Because that's not the default setting.
On Wed, Sep 4, 2019 at 10:20 AM Brian Meade <bmead...@vt.edu> wrote: > Some customers of mine with Linux environments connect to the CCMAdmin > pages with the EC certs. It's definitely a good idea to get those signed. > > On Tue, Sep 3, 2019 at 11:06 PM Tim Smith <tim.sm...@enject.com.au> wrote: > >> Is it time to start getting our EC certs signed as well? >> >> >> >> >> >> *From: *cisco-voip <cisco-voip-boun...@puck.nether.net> on behalf of " >> cisco-voip@puck.nether.net" <cisco-voip@puck.nether.net> >> *Reply to: *"Ryan Ratliff (rratliff)" <rratl...@cisco.com> >> *Date: *Wednesday, 4 September 2019 at 1:02 pm >> *To: *Anthony Holloway <avholloway+cisco-v...@gmail.com>, " >> cisco-voip@puck.nether.net" <cisco-voip@puck.nether.net> >> *Subject: *Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs >> >> >> >> TCP/6972 is hosted by the TFTP service specifically for secure download >> of configuration files and firmware (HTTPS using the Callmanager-EC cert) >> by endpoints. It’s using EC because only endpoints that support strong >> encryption will use support HTTPS downloads via TFTP. >> >> TCP/6970 is for the same as HTTP >> >> TCP/6971 is for the same as HTTPS using the Tomcat certificate (for >> Jabber) >> >> >> None of these are intended to be used by your browser, though it works >> perfectly well for testing and troubleshooting. >> >> >> >> Ryan Ratliff >> >> Manager, Cisco Cloud Collaboration TAC >> >> Standard Business Hours: 8:00AM-5:00PM EDT >> Email: rratl...@cisco.com >> >> Office: +1 919-476-2081 >> >> Mobile: +1-919-225-0448 >> >> Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209 >> >> >> >> *From: *cisco-voip <cisco-voip-boun...@puck.nether.net> on behalf of >> Anthony Holloway <avholloway+cisco-v...@gmail.com> >> *Date: *Tuesday, September 3, 2019 at 10:03 PM >> *To: *cisco-voip list <cisco-voip@puck.nether.net> >> *Subject: *[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs >> >> >> >> So, I just ran into something interesting where someone else took care of >> the certs for a CUCM I now have access to, and while the main CCMAdmin >> pages load fine in my browser with a full chain of trust, the 6972 page(s) >> are being delivered as EC certs, which were not signed, and thus, I get a >> warning in my browser. >> >> >> >> Now, I have other CUCM deployments under my belt where the Tomcat RSA >> certs are signed and EC not, because the default setting for CUCM is to not >> use EC certs until you tell it to. These deployments still present the RSA >> cert to me for 6972. >> >> >> >> The only difference is the SU6 part. >> >> >> >> I couldn't find anything in the release notes nor in the bug search, and >> so I'm wondering if any of you know what might be happening. >> >> >> >> I tried toggling the HTTP Ciphers from RSA only to All and back again, >> but that didn't work. >> >> >> >> I tried re-uploading the RSA cert chain, starting from root, and then >> back through the 2 intermediates (yes, three layers deep, it's a public CA >> chain). >> >> >> >> I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted >> the cluster, and I'm just at a loss. It's not that big of a deal, it just >> bothers me that I don't know why it's doing this. >> _______________________________________________ >> cisco-voip mailing list >> cisco-voip@puck.nether.net >> https://puck.nether.net/mailman/listinfo/cisco-voip >> >
_______________________________________________ cisco-voip mailing list cisco-voip@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-voip
