When dialling to a domain outside of jabber.com, which is using a Cisco VCS deployment, the following is received in the VCS Expressway Logs:
2013-10-01T11:21:02+10:00 tvcs: Event="Inbound TLS Negotiation Error" Service="SIP" Src-ip="220.127.116.11" Src-port="40441" Dst-ip="x.x.x.x" Dst-port="5061" Detail="sslv3 alert bad certificate" Protocol="TLS" Level="1" UTCTime="2013-10-01 01:21:02,223"
The VCS Expressway Certificate is issued by Thawte SSL CA, which is issued by the Thawte Primary Root CA for the VCS Expressway FQDN (it is standalone not part of a cluster). The same call to another VCS deployment using the TANDBERG self signed SSL certificate works fine. Calls between these two VCS deployments using TLS work fine.
Can anybody assist to resolve this problem?
It appears you have a correct cert from our list: https://supportforums.cisco.com/docs/DOC-23938
Please also read the bottom of that page. It's possible your VCS-e is rejecting the jabber.com certificate. Also make sure your certificate is installed within the trusted certificate store and not the server cert store.
Where are you referring to when you say trusted certificate store? The VCS admin guide and VCS cert guide both note the Server Certificate as being used for both HTTPS and TLS.
TLS cannot negotiate a secure connection using the server cert. The trusted cert must be used. The location of the trusted CA is found per the attachment. My recommendation is to reset your server cert to its default out of box cert.
If I compare this to my working environment. The VCS is configured with the default tandberg certificate as the server certificate. The trusted CA certificate list is also default, containing only CA certificates (not issued certificates). If I initiate a call to this environment from my @jabber.com client, I can see from a packet capture that TLS is being negotiated with the certificate configured as the server certificate in this case the default tandberg one.
Now if I compare with the problem environment, the original server certificate was an expired default one. This has since been replaced with the thawte SSL certificate which I can see being used when the inbound call hits it from @jabber.com which results in the "Bad certificate" result.
Lastly if I then call from the working environment to the problem environment using SIP TLS the certificate used by the problem environment is the server certificate which does not result in the "Bad Certificate" issue. This seems to indicate that the server certificate can be used to negotiate TLS?
There is definitely something wrong with your VCS-e certificates and how they are being used. Not sure if it could also be a configuration issue as well, but for this support you are going to need to call Cisco TAC.
I had this problem too. I turned off the TLS verify on the Communication Servers in VCS-C, calls then worked. I then re-enabled it and calls still worked. Go figure!
From memory it was an issue with the the Trusted CA list, so make sure you have added the correct CA certificates for the cert you used as the server certificate.
Just an FYI in the event anyone has an issue, answer is here
Taken from this post