topic Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm in Network Security

SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

PaoloArnedo — Mon, 14 Mar 2022 15:27:08 GMT

Hello our switch Cisco WS-C2960L-SM-24PS has this vulnerability and the recommended solution to this is to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings. Can you please guide me on how to do this or suggest some commands that I can do on the device. thanks in advance

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

balaji.bandi — Mon, 14 Mar 2022 16:03:26 GMT

check self signed certificate (and clients also required to trust that certificate) - do you have PKI infra structore inside ?

https://www.cisco.com/c/en/us/support/docs/security-vpn/public-key-infrastructure-pki/215118-ios-self-signed-certificate-expiration-o.html

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

Rob Ingram — Mon, 14 Mar 2022 16:08:25 GMT

@PaoloArnedo are you actually using the HTTP or HTTPS server on the switch to manage the device? If not, disable them and then the switch won't be listening on tcp/443.

If you are, create a new trustpoint and authenticate/enroll the certificate to generate a CSR, sign the certificate from your internal CA.

Example trustpoint:

crypto pki trustpoint LAB_PKI
 enrollment terminal 
 revocation-check none

once the signed certificate has been imported, assign to the trustpoint

ip http secure-trustpoint LAB_PKI

Delete the old trustpoint.

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

PaoloArnedo — Mon, 14 Mar 2022 16:12:59 GMT

Thank you for the insight, to answer your question yes I am using HTTP as a server. does the process needs a reboot on the device and can it affect the hosts communicating to the switch?

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

Rob Ingram — Mon, 14 Mar 2022 16:14:48 GMT

@PaoloArnedo the web interface (http or https) is for management purposes only, so it will not affect the connected hosts. No it does not require a reboot.

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

MHM Cisco World — Mon, 14 Mar 2022 16:57:40 GMT

....

Re: SSL/TLS: Certificate Signed Using A Weak Signature Algorithm

PaoloArnedo — Mon, 14 Mar 2022 16:48:56 GMT

thank you! also may I ask, how do I deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group on the device?