Revision | Date | Comment |
---|---|---|
1.0 |
14-APR-2016 |
Initial Public Release |
Products Affected |
---|
MDS9000 |
N7000 |
N5000 |
N6000 |
ASA |
The Cisco Smart Call Home (SCH) infrastructure will upgrade to SHA-2 certificates and discontinue support of SHA-1 certificates on May 6, 2016. SCH functionality will no longer work with Secure Hash Algorithm 1 (SHA-1) configured devices.
SHA-1 is an algorithm that uses 128-bit encryption used for communication in order to secure websites, software, and servers. SHA-2 meets current industry standards and has stronger encryption. The Certificate Authority Security Council and other security industry leaders recommend to end support for SHA-1 and to upgrade to SHA-2 which supports 256, 384, and 512-bit encryption. In order to protect Cisco and their customers, Cisco will migrate to SHA-2 on the 6th of May, 2016 and support services will no longer use the SHA-1 certificate. Consequently, if the device encounters any problem, SCH will not be able to raise an automatic Technical Assistance Center (TAC) Service Request and collect the essential information required for problem isolation. A manual method of error message collection will result in longer issue resolution.
Devices without support for SHA-2 certificates will not be able to send notifications and alerts to the Cisco SCH System. Each device and system that uses SHA-1 will display failure notification. A sample notification for an ASA device is shown here:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed@s3_clnt.c:1492
Cisco recommends two options:
Preferred: Upgrade to a newer operating system (OS) that supports your Cisco devices with SHA-2.
Note: Refer to SHA-2 support on OSs and specific OS upgrade instructions on cisco.com. For customers with an ASA, see "Note for Customers with an ASA".
Alternative: Use the Transport Gateway (TG) with SCH.
As security technologies continue to evolve, OS upgrades and rollouts on devices might take time. Given that SHA-2 inherently provides strong security, Cisco recommends that you make use of TG as an interim workaround until the device software is updated.
Why SCH TG? It is not an alternative to upgrade to SHA-2. Instead it allows customer devices to continue to send notifications to the SCH backend in the interim period. The TG software is downloadable from Cisco and is available for customers that require an aggregation point or a proxy for connection.
In order to download Cisco TG software, go to the Download Software web page. On the software download page the related Release Information section in the right column lists the image for different OS version (Linux, Solaris, Windows) of TG software. Find the correct OS version of TG software in the list and then click either Download Now or Add to cart.
After you have downloaded the correct OS version of TG software, refer to the Transport Gateway Installation/Configuration/Registration sections of the Smart Call Home User Guide for information on how to install the downloaded code and then configure and register the TG.
To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.
CDETS | Description |
---|---|
CSCur43251 (registered customers only) | POODLE protocol-side fix: HTTPS Client - In order to communicate to the SCH backend successfully, upgrade to the OS version reported in the bug fix. The OS version supports SHA2 and at the same time fixes the HTTPS SSLv3 issue. |
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.
Unleash the Power of TAC's Virtual Assistance