The TLS 1.2 support on SCCP Gateways feature details the configuration of TLS 1.2 on SCCP protocol for digital signal processor
(DSP) farm including Unicast conference bridge
(CFB), Media Termination Point (MTP), and SCCP telephony control (STC) application (STCAPP).
DSP on gateways can be used as media resources for transrating or transcoding. Each media resource uses Secure Skinny Client
Control Protocol (SCCP) to communicate with Cisco Unified Communications Manager. Currently SSL 3.1, which is equivalent to
TLS1.0, is used for sending secure signals. This feature enhances the support to TLS 1.2.
SCCP TLS connection
CiscoSSL is based on OpenSSL. SCCP uses CiscoSSL to secure the communication signals.
If a resource is configured in the secure mode, the SCCP application initiates a process to complete Transport Layer Security
(TLS) handshaking. During the handshake, the server sends information to CiscoSSL about the TLS version and cipher suites
supported. Previously, only SSL3.1 was supported for SCCP secure signalling. SSL3.1 is equivalent to TLS 1.0. The TLS 1.2
Support feature introduces TLS1.2 support to SCCP secure signalling.
After TLS handshaking is complete, SCCP is notified and SCCP kills the process.
If the handshaking is completed successfully, a REGISTER message is sent to Cisco Unified Communications Manager through the
secure tunnel. If handshaking fails and a retry is needed, a new process is initiated.
![](https://www.cisco.com/content/dam/en/us/td/i/templates/note.gif) Note |
For SCCP-based signalling, only TLS_RSA_WITH_AES_128_CBC_SHA cipher suite is supported.
|
Supported Platforms
The TLS 1.2 support on SCCP Gateways feature is supported on the following platforms:
-
Cisco 4321 Integrated Services Router
-
Cisco 4331 Integrated Services Router
-
Cisco 4351 Integrated Services Router
-
Cisco 4431 Integrated Services Router
-
Cisco 4451-X Integrated Services Router
-
The Cisco VG310, VG320, VG350, VG204XM, and VG202XM Analog Voice Gateways
-
All Cisco Integrated Services Router Generation 2 (ISR G2) platforms
Configuring TLS version for STC application
Perform the following task to configure a TLS version for the STC application:
enable
configure terminal
stcapp security tls-version v1.2
exit
![](https://www.cisco.com/content/dam/en/us/td/i/templates/note.gif) Note |
The stcapp security tls command sets the TLS version to v.1.0, v1.1, or v1.2 only. If not configured explicitly, TLS v1.0
is selected by default.
|
Configuring TLS version in Secure Mode for DSP Farm Profile
Perform the following task to configure the TLS version in secure mode for DSP farm profile:enable
configure terminal
dspfarm profile 7 conference security
tls-version v1.2
exit
![](https://www.cisco.com/content/dam/en/us/td/i/templates/note.gif) Note |
Note: The tls command can be configured only in security mode.
|
Verifying TLS version
Perform the following task to verify the TLS version:
Device# show dspfarm profile 4
Dspfarm Profile Configuration
Profile ID = 4, Service = MTP, Resource ID = 5
Profile Service Mode : secure
Trustpoint : cucm_12_s_mtp
TLS Version : v1.2
Profile Admin State : DOWN
Profile Operation State : DOWN
Application : SCCP Status : NOT ASSOCIATED
Resource Provider : FLEX_DSPRM Status : DOWN
Total Number of Resources Configured : 1
Total Number of Resources Available : 0
Total Number of Resources Out of Service : 1
Total Number of Resources Active : 0
Hardware Configured Resources : 1
Hardware Resources Out of Service: 1
Software Configured Resources : 0
Number of Hardware Resources Active : 0
Number of Software Resources Active : 0
Codec Configuration: num_of_codecs:1
Codec : g711ulaw, Maximum Packetization Period : 30
Device#show dspfarm profile 5
Dspfarm Profile Configuration
Profile ID = 5, Service = CONFERENCING, Resource ID = 3
Profile Service Mode : secure
Trustpoint : cucm_12_s_conf
TLS Version : v1.0
Profile Admin State : DOWN
Profile Operation State : DOWN
Application : SCCP Status : NOT ASSOCIATED
Resource Provider : FLEX_DSPRM Status : DOWN
Total Number of Resources Configured : 1
Total Number of Resources Available : 0
Total Number of Resources Out of Service : 1
Total Number of Resources Active : 0
Maximum conference participants : 8
Codec Configuration: num_of_codecs:6
Codec : g711ulaw, Maximum Packetization Period : 30 , Transcoder: Not Required
Codec : g711alaw, Maximum Packetization Period : 30 , Transcoder: Not Required
Codec : g729ar8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729abr8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729r8, Maximum Packetization Period : 60 , Transcoder: Not Required
Codec : g729br8, Maximum Packetization Period : 60 , Transcoder: Not Required
Device#show dspfarm profile 6
Dspfarm Profile Configuration
Profile ID = 6, Service = TRANSCODING, Resource ID = 1
Profile Service Mode : secure
Trustpoint : cucm_12_s_xcode
TLS Version : v1.0
Profile Admin State : DOWN
Profile Operation State : DOWN
Application : SCCP Status : NOT ASSOCIATED
Resource Provider : FLEX_DSPRM Status : DOWN
Total Number of Resources Configured : 1
Total Number of Resources Available : 0
Total Number of Resources Out of Service : 1
Total Number of Resources Active : 0
Codec Configuration: num_of_codecs:4
Codec : g711ulaw, Maximum Packetization Period : 30
Codec : g711alaw, Maximum Packetization Period : 30
Codec : g729ar8, Maximum Packetization Period : 60
Codec : g729abr8, Maximum Packetization Period : 60
TLS : ENABLED
Verifying STC app TLS version
Perform the following task to verify TLS version of the STC application:
Device# show call application voice stcapp
App Status: Active
CCM Status: UP
CCM Group: 120
Registration Mode: CCM
Total Devices: 0
Total Calls in Progress: 0
Total Call Legs in Use: 0
ROH Timeout: 45
TLS Version: v1.0
Feature Information for TLS 1.2 support on SCCP Gateways
Table 2. Feature Information for TLS 1.2 support on SCCP Gateways
Feature Name
|
Releases
|
Feature Information
|
TLS 1.2 support on SCCP Gateways
|
Cisco IOS XE Fuji 16.7.1
|
The TLS 1.2 support on SCCP Gateways feature details the configuration of TLS 1.2 on SCCP protocol for DSP farm including
CFB, MTP, and STCAPP.
The following commands were introduced: stcapp security tls-version , tls-version .
|