सामग्री लपवा
1 Cisco TLS 1.2 for On-Premises Collaboration Deployments
2 तपशील
3 परिचय
4 Disabling TLS 1.0/1.1
5 Limitations When Disabling TLS 1.011.1
6 उत्पादन वापर सूचना
7 वारंवार विचारले जाणारे प्रश्न
8 कागदपत्रे / संसाधने
8.1 संदर्भ

सिस्को-लोगो

Cisco TLS 1.2 for On-Premises Collaboration Deployments

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-PRODUCT

तपशील

  • Product Name: Unified Communications Manager
  • Feature: Transport Layer Security (TLS) Setup
  • Supported TLS Versions: 1.0, 1.1, 1.2
  • Supported Devices: Conference bridges, Media Termination Point (MTP), Xcoder, Prime Collaboration Assurance, Prime Collaboration Provisioning, Cisco Unity Connection, Cisco Meeting Server, Cisco IP Phones, Cisco Room Devices, Cloud services like Fusion Onboarding Service (FOS), Common Identity Service, Smart License Manager (SLM), Push REST service, Cisco Jabber and Webex App clients, third-party applications

परिचय

  • Transport Layer Security (TLS) and its predecessor, Secure Socket Layer (SSL), are cryptographic protocols that provide communications security over a network. However, SSL, TLS 1.0, and sometimes TLS 1.1 may not provide the level of security required by an organization. Many organizations may require TLS 1.2.
  • This white paper provides information on TLS 1.2 support and on the ability to disable lower versions of TLS for on-premises Cisco Collaboration deployments. It also discusses the implications when disabling TLS 1.0 and 1.1. However, it does not discuss cipher suite support with TLS 1.2.

This document also complements the:

शब्दावली
In a TLS connection, the device that initiates the TLS request is known as the TLS client, and its interface is known as the outbound interface or client interface. On the other side of the connection, the device that receives the TLS request is known as the TLS server, and its interface is known as the inbound interface or server interface. Figure 1 provides an illustration of this terminology.

Figure 1: TLS Client and TLS Server

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-1

In a collaboration solution, endpoints or phones are considered clients. Applications such as Cisco Unified Communications Manager (Unified CM) are considered servers based on their main function within the Cisco Collaboration deployment. However, from a TLS connection standpoint, the definition of a client and server is different. A device can have both client interfaces and server interfaces. For example, an endpoint has an interface for call signaling (SIP or SCCP) that could be encrypted and acts as a TLS client to Unified CM. An endpoint also has a web interface for the endpoint internal web server that could be encrypted (HTTPS), causing the endpoint to act as a TLS server. Figure 2 provides an example of the TLS server interface and TLS client interfaces on an endpoint. Similarly, Unified CM has TLS client interfaces such as the secure LDAP interface and has TLS server interfaces such as the web interface. Unified CM’s SIP interface also acts as both a TLS client and a TLS server interface. Figure 3 shows some of the Unified CM interfaces.

आकृती 2: उदाample of TLS Server and TLS Client Interfaces with Endpoint

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-2

आकृती 3: उदाample of TLS Server and TLS Client Interfaces with Unified CM

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-3

TLS Version Negotiation Defaults to TLS 1.2

  • If a TLS client and TLS server both support TLS 1.2, then by default TLS version 1.2 is negotiated, even if they also support TLS 1.0 and TLS 1.1.
  • A TLS handshake initiates a TLS connection. At the beginning of the TLS handshake, the TLS client sends a ClientHello that includes the TLS version. If the TLS client supports TLS 1.0, 1.1, and 1.2, by default it first sends the ClientHello with a TLS version set to 1.2. If the TLS server also supports TLS 1.2, then it replies with a ServerHello with the TLS version set to 1.2. The TLS version negotiation is complete at this point, even if the client or server also supports TLS 1.0/1.1.
  • However, if there was an issue with the first TLS 1.2 handshake, the TLS client would indicate TLS 1.0 or 1.1 in subsequent ClientHello messages. A normal TLS negotiation is illustrated in Figure 3.

Figure 3: TLS 1.2 Negotiated When TLS Client and Server Support Both TLS 1.2 and Prior TLS Versions

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-4

Most of the components in Cisco Collaboration Systems Release 12.0 support TLS 1.2. For a list of Cisco Collaboration products that support TLS 1.2, refer to the TLS 1.2 Compatibility Matrix for Cisco Collaboration Products at https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/uc_system/unified/communications/system/Compatibility/TLS/TLS1-2-Compatibility-Matrix.html.

  • टीप: SSL has been removed from most of the Cisco Collaboration products and from all products listed in the TLS 1.2 Compatibility Matrix for Cisco Collaboration Products.

Disabling TLS 1.0/1.1

  • TLS version 1.2 should always be negotiated between devices that support TLS 1.2, even if they also support TLS 1.0 and TLS 1.1. However, there could be Man-in-the-Middle (MitM) attacks that attempt to alter the TLS handshake and negotiate a lower version of TLS or even SSL. To prevent this from happening, disable TLS 1.0 (and TLS 1.1), thus forcing all TLS communications to be restricted to just TLS 1.2 (and TLS 1.1). The TLS 1.2 Compatibility Matrix for Cisco Collaboration Products indicates the minimum versions of Cisco Collaboration products that can disable TLS versions 1.0 and 1.1.
  • Disabling TLS 1.0/1.1 on TLS connections could be done in theory either on the client interfaces or the server interfaces; it does not need to be done on both interface types. With Cisco Collaboration products, it is done on the server interface. When an administrator disables TLS 1.0/1.1, the TLS server interfaces do not allow TLS 1.0/1.1 anymore. In some cases, in addition to TLS server interfaces, disabling TLS 1.0/1.1 could also apply to TLS client interfaces, for example, with the LDAP client interface or the SIP client interface in Unified CM.
  • Figure 4 shows the typical implementation where the configuration to disable TLS 1.0 and 1.1 applies to the server interface and where the version for the TLS connection is therefore restricted to 1.2. This is what the TLS 1.2 Compatibility Matrix for Cisco Collaboration Products tracks. It considers that a product can disable TLS version 1.0/1.1 if all the TLS server interfaces of that product can disable TLS version 1.0 and 1.1. The client interfaces may still allow TLS 1.0 and 1.1. The matrix doesn’t track the ability to disable TLS 1.0/1.1 on the client interfaces.

Figure 4: Configuration to Disable TLS 1.0/1.1 Applies to Server Interface

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-5

Disabling TLS 1.0/1.1 might result in compatibility issues if some components do not support TLS 1.2. Before you disable TLS 1.0/1.1, verify that all the products in your deployments support TLS 1.2 and consider the limitations described in the following section.

Limitations When Disabling TLS 1.011.1

  • When you disable a version (or versions) of TLS on a product, ensure that there is still a common version of TLS that can be negotiated with the other products that are connecting to it. For example, if you disable TLS 1.0 and TLS 1.1 on Unified CM, ensure that all the products connecting to Unified CM through a TLS connection support TLS 1.2. If not, there may be interoperability issues.
  • For a list of products supporting TLS 1.2, refer to the TLS 1.2 Compatibility Matrix for Cisco Collaboration Products.
  • The following sections describe some of the key limitations of disabling TLS 1.0/1.1.

Limitations When Disabling TLS 1.011.1 on Unified CM
When you disable TLS 1.0/1.1 on a Unified CM node, it sets the minimum version of TLS and applies this version to all server interfaces in the Unified CM node, such as the HTTPS web server interface, the SIP server interface, and the Certificate Trust List (CTL) provider server interface. It also applies the version to some client interfaces, such as the SIP client interface and the LDAP client interface. The following limitations apply when you configure Unified CM’s minimum TLS version to TLS 1.1 or 1.2.

Certificate Trust List Client
The main limitation with Unified CM is with the Certificate Trust List (CTL) Client. The CTL Client that is used with the USB eTokens to enable Unified CM mixed-mode does not support TLS 1.2, even with Unified CM 12.0.

  • वर्कअराउंड: Enable TLS 1.0 temporarily on Unified CM when enabling mixed-mode or when updating the CTL file.
  • वर्कअराउंड: Migrate to the Tokenless CTL (CLI-based).
  • Cisco IP Phone Address Book Synchronizer
    Cisco IP Phone Address Book Synchronizer enables users to synchronize their Microsoft Windows Address Book with the Cisco Personal Address Book. This client only supports TLS 1.0.

वर्कअराउंड: There is no workaround.

  • Interconnectivity with Unified CM clusters running an older release
    Releases before Unified CM 10.5(2) do not support TLS 1.2. Therefore, interconnecting with those older clusters may be limited if restrict the TLS version on your local Unified CM cluster. For example, secure SIP trunks, secure Location Bandwidth Management (LBM), Intercluster Lookup Service (ILS), and remote cluster discovery service used with Extension Mobility Cross Cluster (EMCC) may not be functional.

वर्कअराउंड: Unified CM 10.5(2) introduced TLS 1.2 support for many interfaces, including SIP, but for TLS 1.2 support on all Unified CM interfaces, deploy Unified CM 11.5(1)SU3 or later.

  • Interconnectivity with older products through SIP trunks
    Disabling TLS 1.0/1.1 applies to SIP server interfaces and SIP client interfaces.

वर्कअराउंड: Ensure that the products that your Unified CM nodes connect to through a SIP trunk also support TLS 1.2. For example, if Cisco Unified Border Element (CUBE) is deployed, ensure it is running a release that supports TLS 1.2.

Interoperability with older phones
This limitation is discussed in the following section.

मर्यादा 

  • Disabling TLS 1.0/1.1 in Unified CM can also have significant implications on older phones, such as the Cisco Unified IP Phone 8961, Cisco Unified IP Phone 9900, 7900, 6900, 3900 Series, and Cisco IP Communicator.
  • Those older phones do not support TLS 1.1 and TLS 1.2. Therefore, if Unified CM is configured with the minimum TLS version set to 1.1 or 1.2, the TLS connections won’t be able to establish. With SIP and HTTP for IP Phone Services, a workaround is to use non-encrypted connections instead, but doing this may be a security issue.
  • Other Unified CM interfaces like Trust Verification Service (TVS) and Certificate Authority Proxy Function (CAPF) only allow TLS, and non-encrypted connections are not available; therefore, the corresponding services will not be available at all with the older phones.
  • माजी साठी आकृती 5 पहाample of those connections when setting the minimum TLS version on Unified CM to 1.1 or 1.2. Some connections may still be possible if they can be non-encrypted. Some other connections that only support TLS will break.

Figure 5: Connections with Older Phones When TLS 1.1 or 1.2 Is Unified CM Minimum Version

Cisco-TLS-1-2-for-On-Premises-Collaboration-Deployments-fig-6

उत्पादन वापर सूचना

TLS Configuration Task Flow

Step 1: Set Minimum TLS Version
Purpose: By default, Unified Communications Manager supports a minimum TLS version of 1.0. If your security needs require a higher version of TLS, reconfigure the system to use TLS 1.1 or 1.2.

Step 2: Set TLS Ciphers
Configure the TLS cipher options that Unified Communications Manager supports.

Step 3: Configure TLS in a SIP Trunk Security Profile
Assign TLS connections to a SIP Trunk. Trunks that use this profile use TLS for signaling. You can also use the secure trunk to add TLS connections to devices, such as conference bridges.

Step 4: Add Secure Profile to a SIP Trunk
Assign a TLS-enabled SIP trunk security profile to a SIP trunk to allow the trunk to support TLS. You can use the secure trunk to connect resources, such as conference bridges.

Step 5: Configure TLS in a Phone Security Profile
Assign TLS connections to a phone security profile. Phones that use this profile use TLS for signaling.

Step 6: Add Secure Phone Profile to a Phone
Assign the TLS-enabled profile that you created to a phone.

Step 7: Add Secure Phone Profile to a Universal Device Template
Assign a TLS-enabled phone security profile to a universal device template. If you have LDAP directory synchronization configured with this template, you can provision phones with security through the LDAP sync.

वारंवार विचारले जाणारे प्रश्न

What products need to meet the minimum TLS requirement when configuring Unified Communications Manager?

Products such as conference bridges, Media Termination Point (MTP), Xcoder, Prime Collaboration Assurance, Prime Collaboration Provisioning, Cisco Unity Connection, Cisco Meeting Server, Cisco IP Phones, Cisco Room Devices, Cloud services like Fusion Onboarding Service (FOS), Common Identity Service, Smart License Manager (SLM), Push REST service, Cisco Jabber and Webex App clients, along with other third-party applications, need to meet the minimum TLS requirement when configuring Unified Communications Manager.

कागदपत्रे / संसाधने

Cisco TLS 1.2 for On Premises Collaboration Deployments [pdf] वापरकर्ता मार्गदर्शक
TLS 1.2 for On Premises Collaboration Deployments, TLS 1.2, for On Premises Collaboration Deployments, Collaboration Deployments, Collaboration Deployments, Deployments

संदर्भ

एक टिप्पणी द्या

तुमचा ईमेल पत्ता प्रकाशित केला जाणार नाही. आवश्यक फील्ड चिन्हांकित आहेत *