Guest

Preview Tool

Cisco Bug: CSCuq73658 - KeyAgreement, IPsec End System,Cert Sign bit is required or optional

Last Modified

May 05, 2016

Products (1)

  • Cisco Unified Communications Manager (CallManager)

Known Affected Releases

10.5(1.99995.9)

Description (partial)

Symptom:
- The following CSR's contain the KeyAgreement Bit:
 
CUPS version 9.1.1.31900-1:
tomcat
cup-xmpp
cup-xmpp-s2s
ipsec

CUCM version 9.1.2.10000-28:
tomcat
CallManager
TVS
ipsec

 - The following document states that the KeyAgreement bit is included in the CSR, however does not reference the bits requirement. We need to know if this is an Optional or Require bit:

Cisco Unified Communications Operating System Administration Guide, Release 10.0(1)
Security
Third-Party CA Certificates: 
http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/10_0_1/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100_chapter_0110.html#CUCM_RF_TF4B6BF0_00

<quote>
The CSRs for Cisco Unified Communications Manager, Tomcat, and IPsec use the following extensions:

X509v3 extensions:X509v3 Key Usage:
Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
</quote> 

 - If the CA does not include the KeyAgreement bit in the Signed Certificate the Certificate Management process accepts the certificate when uploading the new certificate, without checking for this bit. Since there are many 3rd party Public and Private Certificate Authorities excluding this bit by default, we do not know or understand the impact this will cause on the system. The document does not reflect the true meaning or requirement of the KeyAgreement bit. 

 - Since the document does not specify or the Server does not restrict this bit, customer are re-configuring or re-designing there National or even Global Private Certificate Authorities to include the KeyAgreeement Bit from there default settings.

Conditions:
- This affects all CUCM & IM&P server versions starting from CallManager 3.x and onwards.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.