Guest

Preview Tool

Cisco Bug: CSCup88555 - Need to validate serial number length while uploading new cert

Last Modified

May 17, 2017

Products (7)

  • Cisco Unified Communications Manager (CallManager)
  • Cisco Intercompany Media Engine
  • Cisco Unity Connection Version 9.1
  • Cisco Business Edition 5000 Version 9.1
  • Cisco Unified Communications Manager Version 9.1
  • Cisco Business Edition 6000 Version 9.1
  • Cisco Unified Communications Manager Session Management Edition

Known Affected Releases

9.1(1)

Description (partial)

Symptom:
While uploading new certificate into CUCM the length of the hex representation of the certificate serial number is not checked.
As per data dictionary:

http://www.cisco.com/c/dam/en/us/td/docs/voice_ip_comm/cucm/datadict/9_1_1/datadictionary_911.pdf

Type: string [42] (Not Modifiable)
Remarks: hex representation of serial number

hex representation can be maximum 42 characters long (inserted in DB as UTF-8).

If serial number will be longer least significant digits (LSD) will be stripped when the cert is being inserted into DB. Since uniqueness of the cert is calculated as combination of "issuername + serialnumber" this can lead to errors while inserting second cert into the DB that has serial number longer than 42 characters and LSD that were making serial number unique are outside of 42 first characters.

Also,Based on the RFC (https://tools.ietf.org/html/rfc5280), the serial number can be maximum 20 octets in size and 20 octets is equal to 40 digit  hexadecimal number.

Conditions:
We can observe exceptions thrown in certCN service logs like:

2014-06-08 22:16:03,692 INFO [Timer-0] - SQLException : While INSERT/UPDATE certificate in DB : UPDATE CERTIFICATE SET SERVERNAME="XXXXXXX"
(...)
2014-06-08 22:16:03,692 ERROR [Timer-0] - Exception:

java.sql.SQLException: Unique constraint (informix.mx_660_5393_5394) violated.
	at com.informix.jdbc.IfxSqli.a(IfxSqli.java:3457)
	at com.informix.jdbc.IfxSqli.E(IfxSqli.java:3774)
(...)
2014-06-08 22:16:03,692 ERROR [Timer-0] - Exception while uploading cert to DB: 

java.sql.SQLException: Unique constraint (informix.mx_660_5393_5394) violated.
	at com.informix.jdbc.IfxSqli.a(IfxSqli.java:3457)
	at com.informix.jdbc.IfxSqli.E(IfxSqli.java:3774)
	at com.informix.jdbc.IfxSqli.dispatchMsg(IfxSqli.java:2580)
	at com.informix.jdbc.IfxSqli.receiveMessage(IfxSqli.java:2496)
	at com.informix.jdbc.IfxSqli.c(IfxSqli.java:1475)

Above can lead to serious issues since - in above situations - certs are not replicating across the cluster.

While uploading the cert under OS admin page the lenght of the serial number should be validated against DB limits.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.