McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 137

↗ View in doc context
page
137
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::131

Cipher Limitations Although the Cipher Management configuration page allows you to configure any number of ciphers, each application has a list of ciphers it supports on its interfaces. For example, All TLS interfaces may show ECDHE or DHE or ECDSA-based ciphers, but an application such as Unified Communications Manager may not support these ciphers because EC curves or DHE algorithms are not enabled for this application's interfaces. For more information, see the "Application Ciphers Support" section for a list of ciphers supported by individual application interfaces. You must configure at least one common cipher between the ALL TLS and HTTPS TLS interfaces to ensure interoperability between all the nodes in the cluster. Note If any of the nodes have been disconnected from a cluster and you want to configure the ciphers, ensure that you update the ciphers on both the publisher node and the disconnected node. Alternatively, you can configure the ciphers again on the publisher node after the cluster is reestablished to synchronize all nodes with the same cipher configuration. Note Validation in GUI The ciphers on Cipher Management page are validated according to the OpenSSL guidelines. For example, if a cipher configured is ALL:BAD:!MD5, the cipher string will be considered as valid even though "BAD" is not a recognized cipher suite. OpenSSL considers this as a valid string. If AES128_SHA is configured instead of AES128-SHA (using an underscore instead of a hyphen) however, OpenSSL identifies this as an invalid cipher suite. Authenticated Mode (NULL Ciphers) The information in this page is applicable only for TLS 1.2 and lower protocols. Important If NULL ciphers are in use by an application interface, you can revoke the support for NULL ciphers by configuring any cipher list in All TLS or SIP TLS fields on Cipher Management page. Examples of application interfaces that use NULL ciphers are: • All TLS Interface: Unified Communications Manager SIP Proxy in IM and Presence through the TLS Context Configuration page. • SIP TLS Interface: Unified Communications Manager through SIP or SCCP, when any Device Security Profile or SIP Trunk Profile is set to Authenticated mode. Don't configure ciphers for either of these two interfaces if NULL ciphers must be used. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 119 Basic System Security Cipher Limitations