https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543545#M1086965 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1190993">@Leftz</a> that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.</P> <P>If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".</P> Tue, 01 Feb 2022 17:00:16 GMT Rob Ingram 2022-02-01T17:00:16Z https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543542#M1086964 <P>Hi We have switch c3850/ver 03.03.01.SE. Now some insecurity message (Please see the below) is sent to us from tenable.&nbsp;</P><P>The device has the below two commands. Are these two commands is the reason for the insecurity? Thank you</P><P>&nbsp;</P><P>ip ssh server algorithm encryption aes128-ctr aes192-ctr aes256-ctr<BR />ip ssh client algorithm encryption aes128-ctr aes192-ctr aes256-ctr</P><P>&nbsp;</P><P>&nbsp;</P><P>-------</P><P>message is from tenable:</P><P>"The remote service accepts connections encrypted using SSL 2.0 and/or<BR />SSL 3.0. These versions of SSL are affected by several cryptographic<BR />flaws, including:</P><P>- An insecure padding scheme with CBC ciphers.</P><P>- Insecure session renegotiation and resumption schemes.</P><P>An attacker can exploit these flaws to conduct man-in-the-middle<BR />attacks or to decrypt communications between the affected service and<BR />clients.</P><P>Although SSL/TLS has a secure means for choosing the highest supported<BR />version of the protocol (so that these versions will be used only if<BR />the client or server support nothing better), many web browsers<BR />implement this in an unsafe way that allows an attacker to downgrade<BR />a connection (such as in POODLE). Therefore, it is recommended that<BR />these protocols be disabled entirely.</P><P>NIST has determined that SSL 3.0 is no longer acceptable for secure<BR />communications. As of the date of enforcement found in PCI DSS v3.1,<BR />any version of SSL will not meet the PCI SSC's definition of 'strong<BR />cryptography'."</P> Tue, 01 Feb 2022 16:55:07 GMT https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543542#M1086964 Leftz 2022-02-01T16:55:07Z https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543545#M1086965 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1190993">@Leftz</a> that message from tenable is probably referring to the https server that is enabled on the switch, not ssh.</P> <P>If you are not using it you can disable using "no ip http secure-server" you can also disable http server "no ip http server".</P> Tue, 01 Feb 2022 17:00:16 GMT https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543545#M1086965 Rob Ingram 2022-02-01T17:00:16Z https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543566#M1086968 <P>Hi Rob, Thank you very much! I think you are right.</P> Tue, 01 Feb 2022 17:22:58 GMT https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543566#M1086968 Leftz 2022-02-01T17:22:58Z https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543707#M1086986 <BLOCKQUOTE><HR /><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1190993">@Leftz</a>&nbsp;wrote:<BR /> <P><SPAN>We have switch c3850/ver 03.03.01.SE.</SPAN></P> <HR /></BLOCKQUOTE> <P>If the switch's firmware cannot/will-not be upgraded, anything else is an exercise of futility.</P> Tue, 01 Feb 2022 22:59:19 GMT https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4543707#M1086986 Leo Laohoo 2022-02-01T22:59:19Z https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4544244#M1087007 <P>Thank you Leo!</P> Wed, 02 Feb 2022 16:26:01 GMT https://community.cisco.com/t5/network-security/insecurity-message-with-ssh-in-switch-3850/m-p/4544244#M1087007 Leftz 2022-02-02T16:26:01Z