Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Jabber Outbound Bad Certificate

Hi All,

When dialling to a domain outside of jabber.com, which is using a Cisco VCS deployment, the following is received in the VCS Expressway Logs:

2013-10-01T11:21:02+10:00 tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="199.19.190.26" Src-port="40441" Dst-ip="x.x.x.x" Dst-port="5061" Detail="sslv3 alert bad certificate" Protocol="TLS" Level="1" UTCTime="2013-10-01 01:21:02,223"

The VCS Expressway Certificate is issued by Thawte SSL CA, which is issued by the Thawte Primary Root CA for the VCS Expressway FQDN (it is standalone not part of a cluster). The same call to another VCS deployment using the TANDBERG self signed SSL certificate works fine. Calls between these two VCS deployments using TLS work fine.

Can anybody assist to resolve this problem?

Jason

Everyone's tags (3)
10 REPLIES
Cisco Employee

Jabber Outbound Bad Certificate

Hi Jason,

It appears you have a correct cert from our list: https://supportforums.cisco.com/docs/DOC-23938

Please also read the bottom of that page.  It's possible your VCS-e is rejecting the jabber.com certificate.  Also make sure your certificate is installed within the trusted certificate store and not the server cert store.

Jason

New Member

Jabber Outbound Bad Certificate

Hi Jason,

Where are you referring to when you say trusted certificate store? The VCS admin guide and VCS cert guide both note the Server Certificate as being used for both HTTPS and TLS.

Cisco Employee

Re: Jabber Outbound Bad Certificate

Hi Jason,

TLS cannot negotiate a secure connection using the server cert.  The trusted cert must be used.  The location of the trusted CA is found per the attachment.  My recommendation is to reset your server cert to its default out of box cert.

Regards,

Jason

New Member

Jabber Outbound Bad Certificate

Hi Jason,

If I compare this to my working environment. The VCS is configured with the default tandberg certificate as the server certificate. The trusted CA certificate list is also default, containing only CA certificates (not issued certificates). If I initiate a call to this environment from my @jabber.com client, I can see from a packet capture that TLS is being negotiated with the certificate configured as the server certificate in this case the default tandberg one.

Now if I compare with the problem environment, the original server certificate was an expired default one. This has since been replaced with the thawte SSL certificate which I can see being used when the inbound call hits it from @jabber.com which results in the "Bad certificate" result.

Lastly if I then call from the working environment to the problem environment using SIP TLS the certificate used by the problem environment is the server certificate which does not result in the "Bad Certificate" issue. This seems to indicate that the server certificate can be used to negotiate TLS?

Cisco Employee

Jabber Outbound Bad Certificate

Hi Jason,

There is definitely something wrong with your VCS-e certificates and how they are being used.  Not sure if it could also be a configuration issue as well, but for this support you are going to need to call Cisco TAC. 

Regards,

Jason

New Member

I had this problem too. I

I had this problem too. I turned off the TLS verify on the Communication Servers in VCS-C, calls then worked. I then re-enabled it and calls still worked. Go figure!

Bronze

Hi were you able to resolve?

Hi

 

were you able to resolve? im having the same error.

New Member

Hi,From memory it was an

Hi,

From memory it was an issue with the the Trusted CA list, so make sure you have added the correct CA certificates for the cert you used as the server certificate.

Bronze

Answer is herehttps:/

Just an FYI in the event anyone has an issue, answer is here

https://supportforums.cisco.com/document/97931/trusted-public-root-cas-b2b-telepresence

 

Taken from this post

https://supportforums.cisco.com/discussion/11437371/how-do-i-utilize-certificates-vcs-restricted-https-access

New Member

Was a resolution provided by

Was a resolution provided by Cisco TAC?

2278
Views
3
Helpful
10
Replies