topic Re: Upgrade SSL in Endpoint Security

Upgrade SSL

dbrill001 — Sat, 09 Mar 2019 01:48:57 GMT

So I am running security scans on our network for the first time. I have a long list of things to fix. One is the SSL/TLS suite another is upgrading the key to the diffie-hellman key exchange. I was hoping to get pointed in the right direction on how to disable old unused protocols or upgrade the keys to these protocols.encryption

Re: Upgrade SSL

Seb Rupik — Tue, 29 Jan 2019 19:20:35 GMT

HI there,

It would help to know what platforms you are looking to re-configure. Keep in mind that older platforms will not be able to use 'Next Generation Encryption' so some of the suites will not be available to you.

https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html

cheers,

Seb.

Re: Upgrade SSL

dbrill001 — Tue, 29 Jan 2019 19:25:23 GMT

We have 2 3560x Catalysts. I assume by your comment I will be out of luck upgrading these since they are end of life in October.

Re: Upgrade SSL

Seb Rupik — Tue, 29 Jan 2019 20:01:28 GMT

The 3560X software is still being actively developed, the last release was only 4 months ago. 15.2(4)E7 will contain fixes for the most pressing OpenSSL and TLS vulnerabilities. Check the release notes and specifically the resolved caveats:

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst3750x_3560x/software/release/15-2_4_e/releasenotes/rn-1524e-3750x3560x.html#pgfId-1115282

If you want to choose the ciphers used IOS take a look at this document:

https://www.cisco.com/c/en/us/td/docs/app_ntwk_services/waas/waas/v501/command/reference/cmdref/crypto_ssl.pdf

cheers,

Seb.