Field Notice: FN - 64129 - Smart Call Home Will No Longer Support SHA-1 - Upgrade Required

Available Languages

Updated:April 14, 2016
Document ID:FN64129

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

NOTICE:

THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD NOTICE AT ANY TIME.

Revision History

Revision Date Comment
1.0
14-APR-2016
Initial Public Release

Products Affected

Products Affected
MDS9000
N7000 
N5000 
N6000 
ASA

Problem Description

The Cisco Smart Call Home (SCH) infrastructure will upgrade to SHA-2 certificates and discontinue support of SHA-1 certificates on May 6, 2016. SCH functionality will no longer work with Secure Hash Algorithm 1 (SHA-1) configured devices.

Background

SHA-1 is an algorithm that uses 128-bit encryption used for communication in order to secure websites, software, and servers. SHA-2 meets current industry standards and has stronger encryption. The Certificate Authority Security Council and other security industry leaders recommend to end support for SHA-1 and to upgrade to SHA-2 which supports 256, 384, and 512-bit encryption. In order to protect Cisco and their customers, Cisco will migrate to SHA-2 on the 6th of May, 2016 and support services will no longer use the SHA-1 certificate. Consequently, if the device encounters any problem, SCH will not be able to raise an automatic Technical Assistance Center (TAC) Service Request and collect the essential information required for problem isolation. A manual method of error message collection will result in longer issue resolution.

Problem Symptoms

Devices without support for SHA-2 certificates will not be able to send notifications and alerts to the Cisco SCH System. Each device and system that uses SHA-1 will display failure notification. A sample notification for an ASA device is shown here:

error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed@s3_clnt.c:1492

Workaround/Solution

Cisco recommends two options:

Preferred: Upgrade to a newer operating system (OS) that supports your Cisco devices with SHA-2.

Note: Refer to SHA-2 support on OSs and specific OS upgrade instructions on cisco.com. For customers with an ASA, see "Note for Customers with an ASA".

Alternative: Use the Transport Gateway (TG) with SCH.

As security technologies continue to evolve, OS upgrades and rollouts on devices might take time. Given that SHA-2 inherently provides strong security, Cisco recommends that you make use of TG as an interim workaround until the device software is updated.

Why SCH TG? It is not an alternative to upgrade to SHA-2. Instead it allows customer devices to continue to send notifications to the SCH backend in the interim period. The TG software is downloadable from Cisco and is available for customers that require an aggregation point or a proxy for connection.

Download Cisco TG Software

In order to download Cisco TG software, go to the Download Software web page. On the software download page the related Release Information section in the right column lists the image for different OS version (Linux, Solaris, Windows) of TG software. Find the correct OS version of TG software in the list and then click either Download Now or Add to cart.

After you have downloaded the correct OS version of TG software, refer to the Transport Gateway Installation/Configuration/Registration sections of the Smart Call Home User Guide for information on how to install the downloaded code and then configure and register the TG.

Notes for Customers with an ASA

  • For versions earlier than 8.4.1 (which includes versions earlier than 8.2.5), the only way to continue is to upgrade as they do not support the SHA-2 validation.

  • For versions 8.4.1 to 9.3.2, the G5 can be manually authenticated. This document has been updated with the correct certificate - Smart Call Home on the ASA.

  • For versions 9.3.2 to 9.5.2, there are two options:

    • enter crypto ca trustpool import default?

    • enter crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b? This is recommended since it installs a much smaller list of CAs. 

CDETS

To follow the bug ID link below and see detailed bug information, you must be a registered customer and you must be logged in.

CDETS Description
CSCur43251 (registered customers only) POODLE protocol-side fix: HTTPS Client - In order to communicate to the SCH backend successfully, upgrade to the OS version reported in the bug fix. The OS version supports SHA2 and at the same time fixes the HTTPS SSLv3 issue.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

This Document Applies to These Products