McDewey

Multi-vendor documentation library · semantic search · MCP endpoint at /mcp

Page 227

↗ View in doc context
page
227
source
cucm/v15/security-guide/security-guide.md
chunk_id
cucm::v15::security-guide::security-guide::227

SIP and other non-HTTP interfaces will not have an exclusive RSA only mode for the TLS Cipher Enterprise Parameters Configuration settings. Hence, these interfaces continue to offer both the signature algorithms. You can control the preference order of RSA. See Configure the TLS 1.3 Certificate Preference Order Parameter, on page 211 for more details. All HTTP inbound interfaces use HTTP Ciphers in the Enterprise Parameters Configuration page to load the RSA or RSA and ECDSA certificates in its context while opening the port for configured for inbound traffic. HTTP Ciphers is set to 'RSA only' as the default setting. From 15 SU2 onwards, by default, only RSA certificate will be loaded for HTTPs traffic there by limiting TLS 1.3 and/or 1.2 to use only RSA signed certificates. Prior to Release 15SU2, while using TLS for inbound HTTPS traffic, the Cipher Management settings page takes precedence over the HTTP Cipher Enterprise parameter. Hence, to create an ECDSA only HTTPS traffic, administrators had to configure the Cipher Management page with only the ECDSA Ciphers and keep the HTTP Cipher Settings at its default configuration. Post upgrade, this HTTPS connection sends only RSA certificate along with the EC Ciphers and will be loaded in the HTTPS inbound context leading to mismatch and connection failures. • Direct Standard Upgrades—To overcome this failure during the Direct Standard Upgrades upgrade, it automatically switches the HTTP Cipher Enterprise parameter to All Supported EC and RSA Ciphers as part of the upgrade if a mismatch is detected. This loads both the RSA and ECDSA certificates. • Fresh install with Data Import—For Fresh install with Data Import migration method, you have to switch the HTTP Cipher Enterprise Parameter manually prior to upgrading to Release 15 SU2 and above. TLS 1.3 Interactions TLS 1.3 Certificate Preference By default, the TLS 1.3 protocol prefers ECDSA over RSA. This preference is defined by the client in the signature algorithms that it advertises. For inbound connections, the SIP, CTI Manager, SIP Proxy, or XMPP TLS 1.3 interfaces always advertises both the ECDSA and RSA certificates, and the selection is based on the client's preference order. Most of the deployments use RSA signed certificates. A new enterprise parameter "TLS 1.2 Ciphers Preference Order" is added to maintain backward compatibility for deployments using RSA signed certificates. For more information, see Configure the TLS 1.3 Certificate Preference Order Parameter, on page 211. TLS 1.3 Configuration TLS 1.3 is supported by default on all the TLS interfaces of Unified Communications Manager and IM and Presence Service. For more information on the ports affected by TLS 1.3, see Ports Affected by Transport Layer Security Version 1.3, on page 212. If Unified Communications Manager and IM and Presence Service makes a secure connection to a service or application that does not support TLS 1.3, then it automatically falls back to a lower version based on the minimum TLS version configured to support interoperability. Security Guide for Cisco Unified Communications Manager, Release 15 and SUs 209 Basic System Security TLS 1.3 Interactions