Exp-C/VCS-C Phone Registration Fails Over MRA with MD5 Hashed Algorithm Certificates

Introduction

This document describes a problem you might encounter when you register your phone over Mobile and Remote Access (MRA) if the Message Digest 5 (MD5) hashed algorithm certificate is used, and it offers a solution to the problem.

Problem

Phone registration fails over MRA if the certificate used on Expressway-C/Video Communication Server (VCS)-C are generated with the use of the MD5 signature algorithm. 

Cause

The use of the MD5 hash algorithm in certificates could allow an attacker to spoof content, perform phishing attacks, or perform man-in-the-middle attacks. Microsoft also released a security advisory last year that restricted the use of certificates with the MD5 hash algorithm. This restriction is limited to certificates issued under roots in the Microsoft root certificate program: Microsoft Security Advisory: Update for deprecation of MD5 hashing algorithm for Microsoft root certificate program: August 13, 2013 

Cisco bug ID CSCuq95204 has been raised to update the VCS documents to state that Cisco does not support MD5-hashed algorithm certificates.

Verify the Issue

This section details how to verify if your registration fails because of this issue.

When Jabber attempts to register a soft phone over the edge/MRA infrastrucure, the Jabber soft phone registration fails if the Expressway machines use the MD5-hashed certificate. However, the nature of the error varies and depends on which machine uses the MD5-hashed certificate.

Case 1: Expressway-C Uses the MD5-Hashed Certificate and Expressway-E Has a Certificate with a Secure Hash Algorithm (SHA Algorithm)

You encounter this error in the Expressway-C diagnostic logs:

2014-09-20T06:06:43+05:30 Expressway-C UTCTime="2014-09-20 00:36:43,837" Module=
"developer.cvs.server" Level="INFO" CodeLocation="cvs(132)" Detail="Certificate
verification failure" SubjectCommonName="Expressway-E.edge.com" Error="(SEC_ERROR_
CERT_SIGNATURE_ALGORITHM_DISABLED) The certificate was signed using a signature
algorithm that is disabled because it is not secure."

After this error, an "437 unsupported certificate" to Expressway-E message appears.

2014-09-20T06:06:43+05:30 Expressway-C tvcs: UTCTime="2014-09-20 00:36:43,840" 
Module="network.sip" Level="DEBUG":  Action="Sent"  Local-ip="127.0.0.1"  Local-
port="22210"  Dst-ip="127.0.0.1"  Dst-port="25011"  Msg-Hash="5047300400093470988" 
 SIPMSG:
 |SIP/2.0 437 Unsupported Certificate
 Via: SIP/2.0/TCP 127.0.0.1:5060;egress-zone=DefaultZone;branch=z9hG4bKeaaf784fd792
c156da3ff2b664a2eee751464.eb53ca5fcac328dc0f61631ec583fdf4;proxy-call-id=0e01fda1-
6704-4066-bcfd-06e2f3ded8f9;received=127.0.0.1;rport=25011
 Via: SIP/2.0/TLS 10.106.93.182:7001;egress-zone=TraversalserverzoneMRA;branch=z9hG
4bKc4ad3ddb1c5a24099882b10815ee247196.afc37861e975b930c7e624e1d5c6e967;proxy-call-id=
4436ec58-81a4-47a2-b4be-9f0b8b551209;received=10.106.93.182;rport=7001;ingress-zone=
TraversalclientzoneMRA;ingress-zone-id=1
 Via: SIP/2.0/TCP 127.0.0.1:5060;branch=z9hG4bKaa0592c35ecf47289c8efe37792f0c5095;
received=127.0.0.1;rport=25000;ingress-zone=DefaultZone
 Call-ID: 5050433d0d38b156@127.0.0.1
 CSeq: 35384 SERVICE
 From: <sip:serviceproxy@10.106.93.187>;tag=31976bf5fd009665
 To: <sip:serviceserver@10.106.93.187>;tag=f35f010a358ec6dd
 Server: TANDBERG/4130 (X8.2.1)
 Content-Length: 0

Case 2: Expressway-E Uses a MD5-Hashed Certificate and Expressway-C Has a Certificate with a SHA Algorithm

You encounter this error in the Expressway-E diagnostic logs:

2014-11-28T20:17:38+05:30 Expressway-E UTCTime="2014-11-28 14:47:38,393" Module=
"developer.cvs.server" Level="INFO" CodeLocation="cvs(132)" Detail="Certificate 
verification failure" SubjectCommonName="Expressway-C.edge.local" Error="(SEC_ERROR_
CERT_SIGNATURE_ALGORITHM_DISABLED) The certificate was signed using a signature 
algorithm that is disabled because it is not secure."

After this error, the "403 Forbidden" message to Jabber client appears.

2014-11-28T20:17:38+05:30 Expressway-E tvcs: UTCTime="2014-11-28 14:47:38,395" 
Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="10.106.93.182" Local-
port="5061" Dst-ip="10.106.93.185" Dst-port="49174" Msg-Hash="8732905073947938174" 
 SIPMSG:
 |SIP/2.0 403 Forbidden
 Via: SIP/2.0/TLS 10.106.93.185:49174;branch=z9hG4bK00006db3;received=10.106.93.185
 Call-ID: 005056ad-6bf90002-000038a2-00003b0a@10.106.93.185
 CSeq: 104 REGISTER
 From: <sip:8002@10.106.93.187>;tag=005056ad6bf9000200007e3c-000005e2
 To: <sip:8002@10.106.93.187>;tag=baa86af3aca9e844
 Server: TANDBERG/4130 (X8.2.1)
 Content-Length: 0

Case 3: Expressway-E and Expressway-C Both Use the MD5-Hashed Certificate

You encounter this error in the Expressway-C diagnostic logs:

2014-11-28T20:50:44+05:30 Expressway-C UTCTime="2014-11-28 15:20:44,943" Module=
"developer.cvs.server" Level="INFO" CodeLocation="cvs(132)" Detail="Certificate 
verification failure" SubjectCommonName="Expressway-E.edge.com" Error="(SEC_ERROR_
CERT_SIGNATURE_ALGORITHM_DISABLED) The certificate was signed using a signature 
algorithm that is disabled because it is not secure."

After this error, the "437 unsupported certificate" to Expressway-E message appears.

2014-11-28T20:50:44+05:30 Expressway-C tvcs: UTCTime="2014-11-28 15:20:44,945"
 Module="network.sip" Level="DEBUG": Action="Sent" Local-ip="127.0.0.1" Local-
port="22210" Dst-ip="127.0.0.1" Dst-port="25753" Msg-Hash="136016498284976281" 
 SIPMSG:
 |SIP/2.0 437 Unsupported Certificate
 Via: SIP/2.0/TCP 127.0.0.1:5060;egress-zone=DefaultZone;branch=z9hG4bK22df47
ed2281a3bf3d88ece09bfbbc3a231977.0dbe343429e681275f6160e8c8af25fe;proxy-call-
id=2ee40ecc-4a1b-4073-87a6-07fbc3d7a6be;received=127.0.0.1;rport=25753
 Via: SIP/2.0/TLS 10.106.93.182:7001;egress-zone=TraversalserverzoneMRA;branch=
z9hG4bK35a8b2cbb77db747c94e58bbf1d16cf1108.1c42f037f9ac98c59766cb84d0d3af10;
proxy-call-id=a8938902-2e0c-4a49-b900-a3b631920553;received=10.106.93.182;rport=
7001;ingress-zone=TraversalclientzoneMRA;ingress-zone-id=1
 Via: SIP/2.0/TCP 127.0.0.1:5060;branch=z9hG4bKb2da522d9f1b5ad1bc2f415f5f01d0d2107;
received=127.0.0.1;rport=25000;ingress-zone=DefaultZone
 Call-ID: 019ed17f1344e908@127.0.0.1
 CSeq: 54313 SERVICE
 From: <sip:serviceproxy@10.106.93.187>;tag=3426bb81de53e3b6
 To: <sip:serviceserver@10.106.93.187>;tag=2128ce8a1f90cb7b
 Server: TANDBERG/4130 (X8.2.1)
 Content-Length: 0

Verify the Certificate Algorithm

This screenshot shows how to verify the certificate algorithm that is used.

Solution

Normally the Certificate Authority (CA) does not provide certificates with MD5 algorithm anymore. But sometimes customers use a mixed approach wherein the certificate on Expressway-C is generated with their Enterprise Microsoft CA and Expressway-E uses a certificate issued by a public CA such as GoDaddy.

If the Enterprise Microsoft Root CA uses the MD5 algorithm, then this issue occurs. You can modify the root CA in order to use the SHA1 algorithm if you have CA services that run on the Microsoft Windows Server 2008. Refer to the Is it possible to change the hash algorithm when I renew the Root CA article in order to modify the hashing algorithm.