THIS FIELD NOTICE IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND
OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTY OF MERCHANTABILITY. YOUR USE
OF THE INFORMATION ON THE FIELD NOTICE OR MATERIALS LINKED FROM THE FIELD NOTICE
IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS FIELD
NOTICE AT ANY TIME.
Initial Public Release
The Cisco Smart Call Home (SCH) infrastructure will upgrade to SHA-2 certificates and discontinue support of SHA-1 certificates on May 6, 2016. SCH functionality will no longer work with Secure Hash Algorithm 1 (SHA-1) configured devices.
SHA-1 is an algorithm that uses 128-bit encryption used for communication in order to secure websites, software, and servers. SHA-2 meets current industry standards and has stronger encryption. The Certificate Authority Security Council and other security industry leaders recommend to end support for SHA-1 and to upgrade to SHA-2 which supports 256, 384, and 512-bit encryption. In order to protect Cisco and their customers, Cisco will migrate to SHA-2 on the 6th of May, 2016 and support services will no longer use the SHA-1 certificate. Consequently, if the device encounters any problem, SCH will not be able to raise an automatic Technical Assistance Center (TAC) Service Request and collect the essential information required for problem isolation. A manual method of error message collection will result in longer issue resolution.
Devices without support for SHA-2 certificates will not be able to send notifications and alerts to the Cisco SCH System. Each device and system that uses SHA-1 will display failure notification. A sample notification for an ASA device is shown here:
error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed@s3_clnt.c:1492
Cisco recommends two options:
Preferred: Upgrade to a newer operating system (OS) that supports your Cisco devices with SHA-2.
Note: Refer to SHA-2 support on OSs and specific OS upgrade instructions on cisco.com. For customers with an ASA, see "Note for Customers with an ASA".
Alternative: Use the Transport Gateway (TG) with SCH.
As security technologies continue to evolve, OS upgrades and rollouts on devices might take time. Given that SHA-2 inherently provides strong security, Cisco recommends that you make use of TG as an interim workaround until the device software is updated.
Why SCH TG? It is not an alternative to upgrade to SHA-2. Instead it allows customer devices to continue to send notifications to the SCH backend in the interim period. The TG software is downloadable from Cisco and is available for customers that require an aggregation point or a proxy for connection.
Download Cisco TG Software
In order to download Cisco TG software, go to the Download Software web page. On the software download page the related Release Information section in the right column lists the image for different OS version (Linux, Solaris, Windows) of TG software. Find the correct OS version of TG software in the list and then click either Download Now or Add to cart.
After you have downloaded the correct OS version of TG software, refer to the Transport Gateway Installation/Configuration/Registration sections of the Smart Call Home User Guide for information on how to install the downloaded code and then configure and register the TG.
Notes for Customers with an ASA
- For versions earlier than 8.4.1 (which includes versions earlier than 8.2.5), the only way to continue is to upgrade as they do not support the SHA-2 validation.
- For versions 8.4.1 to 9.3.2, the G5 can be manually authenticated. This document has been updated with the correct certificate - Smart Call Home on the ASA.
- For versions 9.3.2 to 9.5.2, there are two options:
- enter crypto ca trustpool import default?
- enter crypto ca trustpool import url http://www.cisco.com/security/pki/trs/ios_core.p7b? This is recommended since it installs a much smaller list of CAs.
To follow the bug ID link below and see detailed bug information, you must be
a registered customer and you must be logged in.
|CSCur43251 (registered customers only)
||POODLE protocol-side fix: HTTPS Client - In order to communicate to the SCH backend successfully, upgrade to the OS version reported in the bug fix. The OS version supports SHA2 and at the same time fixes the HTTPS SSLv3 issue.
For More Information
If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:
Receive Email Notification For New Field Notices
Cisco Notification Service—Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.