McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 226

↗ View in doc context
page
226
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::226

Differences Between TLS 1.2 and TLS 1.3 • Signature Algorithm Usage—TLS 1.3 limits the use of RSA signatures and promotes modern signature algorithms like ECDSA and DSA. However, TLS 1.2 relies more on RSA signatures. • Cipher Suite Reduction—TLS 1.3 reduces the number of supported cipher suites. It focuses on authenticated encryption algorithms like AES-GCM and ChaCha20-Poly1305. In comparison, TLS 1.2 supports a broader range of cipher suites, including some less secure options. • Security Enhancements—TLS 1.3 introduces features such as PFS by default and encrypted handshake messages. These features are absent in TLS 1.2. They enhance overall security and privacy. • Certificate Selection—In TLS 1.2, the server selects the certificate based on the key algorithm in the cipher suite negotiated during the handshake. However, in TLS 1.3, the server determines the certificate based on the supported signature algorithms advertised by the client. It ensures smoother compatibility and a more secure communication environment. Supported Signature Algorithms The following signature algorithms are supported in the TLS 1.3 protocol for Unified Communications Manager and IM and Presence Service: • ecdsa_secp256r1_sha256 • ecdsa_secp384r1_sha384 • ecdsa_secp521r1_sha512 • rsa_pss_rsae_sha256 • rsa_pss_rsae_sha384 • rsa_pss_rsae_sha512 • rsa_pkcs1_sha256 • rsa_pkcs1_sha384 • rsa_pkcs1_sha512 Install and Upgrade Considerations For Fresh Install, the minimum supported TLS version is 1.2. Here, the TLS versions 1.0 and 1.1 are disabled by default. Run the set tls min-version command in case you want to configure the minimum TLS version as 1.0 or 1.1. For upgrade and/or migration scenarios, the supported TLS versions are TLS 1.0, 1.1, 1.2, and 1.3. The minimum TLS version is retained from the previous version after upgrade or migration scenarios. Migration Considerations TLS 1.3 uses Signature algorithms to choose between RSA or ECDSA signed certificates and evaluates the certificates offered from the server side before it decides on the certificate type. TLS 1.3 does not have a separate Cipher Management settings page. It relies on the existing Enterprise parameters, HTTP Ciphers, and the TLS Cipher settings. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 208 Basic System Security Install and Upgrade Considerations