This was on an 11.5 cluster without that setting changed from default. I'm wondering if that setting doesn't potentially change it everywhere.
On Wed, Sep 4, 2019 at 12:18 PM Anthony Holloway < [email protected]> wrote: > So Brian, you (or someone) has then changed the HTTPS Ciphers Enterprise > Parameter to use EC certs then? Because that's not the default setting. > > On Wed, Sep 4, 2019 at 10:20 AM Brian Meade <[email protected]> wrote: > >> Some customers of mine with Linux environments connect to the CCMAdmin >> pages with the EC certs. It's definitely a good idea to get those signed. >> >> On Tue, Sep 3, 2019 at 11:06 PM Tim Smith <[email protected]> >> wrote: >> >>> Is it time to start getting our EC certs signed as well? >>> >>> >>> >>> >>> >>> *From: *cisco-voip <[email protected]> on behalf of " >>> [email protected]" <[email protected]> >>> *Reply to: *"Ryan Ratliff (rratliff)" <[email protected]> >>> *Date: *Wednesday, 4 September 2019 at 1:02 pm >>> *To: *Anthony Holloway <[email protected]>, " >>> [email protected]" <[email protected]> >>> *Subject: *Re: [cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs >>> >>> >>> >>> TCP/6972 is hosted by the TFTP service specifically for secure download >>> of configuration files and firmware (HTTPS using the Callmanager-EC cert) >>> by endpoints. It’s using EC because only endpoints that support strong >>> encryption will use support HTTPS downloads via TFTP. >>> >>> TCP/6970 is for the same as HTTP >>> >>> TCP/6971 is for the same as HTTPS using the Tomcat certificate (for >>> Jabber) >>> >>> >>> None of these are intended to be used by your browser, though it works >>> perfectly well for testing and troubleshooting. >>> >>> >>> >>> Ryan Ratliff >>> >>> Manager, Cisco Cloud Collaboration TAC >>> >>> Standard Business Hours: 8:00AM-5:00PM EDT >>> Email: [email protected] >>> >>> Office: +1 919-476-2081 >>> >>> Mobile: +1-919-225-0448 >>> >>> Cisco U.S. Contact Numbers: +1-800-553-2447 or +1-408-526-7209 >>> >>> >>> >>> *From: *cisco-voip <[email protected]> on behalf of >>> Anthony Holloway <[email protected]> >>> *Date: *Tuesday, September 3, 2019 at 10:03 PM >>> *To: *cisco-voip list <[email protected]> >>> *Subject: *[cisco-voip] CUCM 11.5(1)SU6, Port 6972 and EC Certs >>> >>> >>> >>> So, I just ran into something interesting where someone else took care >>> of the certs for a CUCM I now have access to, and while the main CCMAdmin >>> pages load fine in my browser with a full chain of trust, the 6972 page(s) >>> are being delivered as EC certs, which were not signed, and thus, I get a >>> warning in my browser. >>> >>> >>> >>> Now, I have other CUCM deployments under my belt where the Tomcat RSA >>> certs are signed and EC not, because the default setting for CUCM is to not >>> use EC certs until you tell it to. These deployments still present the RSA >>> cert to me for 6972. >>> >>> >>> >>> The only difference is the SU6 part. >>> >>> >>> >>> I couldn't find anything in the release notes nor in the bug search, and >>> so I'm wondering if any of you know what might be happening. >>> >>> >>> >>> I tried toggling the HTTP Ciphers from RSA only to All and back again, >>> but that didn't work. >>> >>> >>> >>> I tried re-uploading the RSA cert chain, starting from root, and then >>> back through the 2 intermediates (yes, three layers deep, it's a public CA >>> chain). >>> >>> >>> >>> I've restarted Tomcat, I've deactivated/reactivate TFTP, I've rebooted >>> the cluster, and I'm just at a loss. It's not that big of a deal, it just >>> bothers me that I don't know why it's doing this. >>> _______________________________________________ >>> cisco-voip mailing list >>> [email protected] >>> https://puck.nether.net/mailman/listinfo/cisco-voip >>> >>
_______________________________________________ cisco-voip mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-voip
