McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 132

↗ View in doc context
page
132
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::125

If you configure ciphers in the SIP interface or All interface, authenticated mode is no longer supported. If you assign ciphers in SIP TLS and All TLS fields, then the ciphers you configured on SIP TLS override the All TLS ciphers. • SSH Ciphers—The ciphers that are assigned in this field are applicable to SSH connections on Unified Communications Manager and IM and Presence Service. • SSH Key Exchange—The Key Exchange algorithms that are assigned in this field are applicable to the SSH interface on Unified Communications Manager and IM and Presence Service. Curve Negotiation Following are the points for negotiating the curves: • ECDSA ciphers are negotiated with different EC curves based on the key size of the ECDSA certificate. • The RSA ciphers are negotiated with all the EC curves irrespective of key size of the certificate. • The key size of a ECDSA certificate must be same as the curve size for the TLS negotiation to happen. From Release 15SU2 onwards, Unified Communications Manager supports the following curves: • FIPS mode: P-521, P-384, and P-256 • Non-FIPS mode: X25519, P-521, P-384, and P-256 Note Example: The 384 key certificate and ECDSA ciphers are negotiated, when the client offers P-384 EC curve. Curve negotiation is based on the client preference for both RSA and ECDSA ciphers. When the certificate size is 384 bits and client offerings are P-521, P-384, P-256 EC curves then TLS negotiation happen with the P-521 curve. Since curve offered by the client is P-521 at the first and P- 384 curve is also available on the list. When the certificate size is 384 bits and client offerings are P-521, P-256 EC curves then TLS negotiation will not happen because the P-384 curve is not offered by the client. The following are the supported ciphers for EC curves: TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 114 Basic System Security Cipher Management