Certificate Pinning in Cisco Meeting Server

Certificate pinning is introduced on cisco meeting server starting in CMS 3.0 to help prevent man in the middle attack.

But what is the Certificate Pinning?

Traditionally, SSL Handshake consists on the validation of the server’s certificate, let’s say collab.com. The validation is done using the CA’s certificate located in the certificate store of the web browser.

The certificate store contains several CA Certificates, may be more than 100.

If at least one CA delivers by mistake or more likely to conduct an attack a valid certificate for example *.collab.com, attackers are able to launch a Man In The Middle Attack.

in order to prevent this attack, it is possible to use the SSL protocol in another way, by creating an association between the domain name of a site (www.collab.com) and the certificate or certification authority expected. Thus, only the a certificate (of collab.com) signed by one of the specific certification authorities will be accepted and if the certificate of collab.com signed by another CA is presented, it is not trusted.

Certificate pinning can be explained with a simple words: Is this connection secure with a valid certificate and is it signed by the CA I’m expecting?.

For Cisco Meeting Server, the C2W connection between the WebBridge and CallBridge uses the concept of certificate pinning to prevent the Man In the Middle Attack.

This is done by the webbridge3 c2W trust <certificate chain> and callbridge trust c2W <certificate chain> command.

The webbridge will trust certificates of callbridges that have been signed by one of those in its trust store, set by webbridge3 c2w trust.

The callbridge will trust webbridges that have certificates signed by one of those in its trust store, set by callbridge trust c2w

To demonstrate I used two different CA to sign :

1-The WebBridge certificate with CA’s certificate called WEBBRIDGE-ROOT.cer.
2-The CallBridge certificate with CA’s certificate called CALLBRIDGE-ROOT.cer.

Basically:

1-you tell to the WebBridge service—-> trust only the CallBridge’s certificate signed by CALLBRIDGE-ROOT.cer. It’s enforced with the webbridge3 c2w trust CALLBRIDGE-ROOT.cer command.

2-You tell to the CallBridge service—-> trust only the WebBridge’s certificate signed by WEBBRIDGE-ROOT.cer. It’s enforced with the callbridge trust c2w WEBBRIDGE-ROOT command.