/mcpTLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 Recommended Ciphers By default, Unified Communications Manager and IM and Presence Service already uses a set of ciphers (see TLS and SSH Ciphers section below) that supports secure integration with most other products, including third-party products. Therefore, it is not required to make changes. If Cipher suite mismatches are causing TLS Handshake failures, Unified Communications Manager Cipher Management can be used to add additional ciphers to the list of supported Ciphers. Cipher Management can also be used if customers want to be more restrictive and prevent certain Cipher suites from being negotiated during TLS handshake. After configuring the ciphers, restart the affected services or reboot the server for the changes to take effect. Configuring hmac-sha2-512 in the SSH MAC interface affects the DRS and CDR functionality. Configuring ciphers aes128-gcm@openssh.com, aes256-gcm@openssh.com in "SSH Cipher's" field or configuring only ecdh-sha2-nistp256 algorithm in "SSH KEX" will break the DRS and CDR functionalities. CDR, AXL, DRS, and Bulk Certificate Exchange interfaces use the rsa-sha2-256 hostkey algorithm, even when rsa-sha2-512 is configured. Warning From Release 15SU3 onwards, you can configure the following supported hostkey algorithms on the Cipher Management page: • ssh-rsa • rsa-sha2-256 • rsa-sha2-512 In FIPS mode, you cannot configure ssh-rsa. Note For SSH interface, during fresh installations of Release 15SU3 and later, the following crypto primitives are removed by default. You can add or remove them through the Cipher Management page. • HostKeyAlgorithms: ssh-rsa • KexAlgorithms: diffie-hellman-group14-sha1 • MACs: hmac-sha1 We recommend that you do not use the SHA1 algorithm. Note We support the following cipher strings for the TLS and SSH interface configuration: Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 115 Basic System Security Recommended Ciphers