7800-8800 series IP phones reject old MD5 hashed CUCM certificates

Result : Extension Mobility not working on 7800/8800 series IP phones

Advertisements

Last week I have been running into an issue regarding Extension Mobility for a customer who upgraded his UC platform from 6.1 to 11.5
His platform contains, inter alia, one CUCM Publisher and one CUCM Subscriber

By this occasion he expanded his platform with a bunch of new 7821 IP phones.

The upgrade ran flawlessly and everything works for the existing 7900 serie IP phones.

However, when adding 7821 IP phones we realized that there’s a problem with Extension Mobility. They get “Host not found” (the most famous error for Phone Services).

They are using the Secure URL

https://Publisher_IP_Address:8443/emapp/EMAppServlet?device=#DEVICENAME#

With this service, all 7900 IP phones work, but all 7821 don’t.
Moreover, from the logs and Wireshark traces, we don’t even see the IP phones sending requests to TVS on port 2445. Niente. Here is what the log said :

2373 ERR Sep 05 12:29:41.264147 (2092:2355) JAVA-Sec SSL Connection – Handshake failed.

 

We added a second EM service to further troubleshoot the issue, this time with the Subscriber IP address. Here, all IP phones including 7821 phones run EM correctly. What the hell ?

After two weeks of troubleshooting with TAC, we took the two tomcat certificates and compared them. SURPRISE!! The Publisher’s tomcat certificate is Version 1 and uses the MD5 hash algorithm!! WOW quite old fashion (whereas the Subscriber is Version 3 and uses SHA256).

But why ? It’s because of the well-kept CUCM 6.1 certificate!
My preferred method of upgrading (from MCS to UCS) is to backup/restore only the Publisher and then fresh reinstall the subsequent Subscribers.
In fact, CUCM 6.1 generates its certificate with the above attributes.

Meanwhile, the CUCM Subcriber tomcat certificate is good because it was indeed freshly installed.
As soon as we regenerated the tomcat Publisher certificate (this time with more “modern” attributes) then restarted Cisco Tomcat service on Publisher, the Extension Mobility works flawlessly on all IP phones including 7800/8800.

What’s the point ?
7800/8800 IP phones don’t support certificates running with MD5 hash algorithm. YES they will reject it. It’s the new law of newer Cisco IP phones. (but the quite Cisco 7900 serie Phones accept this cert without any concern).

So I come to my personal conclusion. When you upgrade CUCM from very old versions to 11.5, and using default self-signed certs, it’s a MUST to regenerate tomcat certificate otherwise Extension Mobility on 7800/8800 series IP phones won’t work.
It’s not said anywhere in the upgrade guides/documentation, but I learnt it the hard way.

bad-good-certs

Bonus : this also affects UDS (User Data Services) in Jabber.
Jabber on Windows doesn’t like that certificate either. It gives an error – Unable to verify certificate or something like that.
Regenerating the tomcat cert on Publisher also resolves this issue.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s