https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652329#M1091934 <P>Hi we got the below info from vulnerability security scan from cisco switch. I am not sure how to allow strong key exchange. Anyone can share some experience? Thank you</P><P>&nbsp;</P><P>Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.</P><P>Weak SSL/TLS Key Exchange</P> Mon, 18 Jul 2022 14:33:25 GMT Leftz 2022-07-18T14:33:25Z https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652329#M1091934 <P>Hi we got the below info from vulnerability security scan from cisco switch. I am not sure how to allow strong key exchange. Anyone can share some experience? Thank you</P><P>&nbsp;</P><P>Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.</P><P>Weak SSL/TLS Key Exchange</P> Mon, 18 Jul 2022 14:33:25 GMT https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652329#M1091934 Leftz 2022-07-18T14:33:25Z https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652341#M1091935 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1190993">@Leftz</a> do you even use SSL/TLS on the switches? as most organisations I work with do not. I therefore just disable SSL/TLS, use the command "no ip http secure-server".</P> <P>You can expictly configure the ciphersuite "<SPAN class="ph synph"><SPAN class="keyword kwd">ip http secure-ciphersuite</SPAN> &lt;ciphersuite&gt;"</SPAN></P> <P><SPAN class="ph synph"><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-3/configuration_guide/sec/b_173_sec_9200_cg/configuring_secure_socket_layer_http.html#con_1226558" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-3/configuration_guide/sec/b_173_sec_9200_cg/configuring_secure_socket_layer_http.html#con_1226558</A></SPAN></P> <P><SPAN class="ph synph">You can also limit SSL/TLS connections using an ACL<BR /></SPAN></P> <P>&nbsp;</P> Mon, 18 Jul 2022 14:48:39 GMT https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652341#M1091935 Rob Ingram 2022-07-18T14:48:39Z https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652402#M1091938 <P>Thank you Rob. I think you are correct.&nbsp;</P> Mon, 18 Jul 2022 15:32:01 GMT https://community.cisco.com/t5/network-security/strong-key-exchange-for-vulnerability/m-p/4652402#M1091938 Leftz 2022-07-18T15:32:01Z