https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072780#M1111410 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a> what commands did you configure? Provide the configuration.</P> <P>Did you use the command - <STRONG>no ip http secure-server </STRONG>to disable https server?</P> <P>You could also apply an ACL to restrict traffic to trusted sources, that would help mitigate the issue.</P> Thu, 18 Apr 2024 09:27:13 GMT Rob Ingram 2024-04-18T09:27:13Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072776#M1111409 <P>Hi&nbsp;</P><P>I hope your doing well&nbsp;</P><P>in our network infrastructure&nbsp; where we have Qualys to scan for vulnerabilities i can't find a solution for this certain vulnerability here are the details :</P><P>Weak SSL/TLS Key Exchange&nbsp;</P><P>impact an attacker with access to sufficient computational power might be able to recover the session key and decrypt session content&nbsp;</P><P>i have tried the suggested solution from both community cisco but when we i scan again the vulnerability remains the same , the solution that i have tried is to disable SSL/TLS on the switches after scanning it still shows the same vulnerability ,also i have tried to configure the cipher suite with AES 256 the vulnerability remains the same .</P><P>the switch we have is cisco 9200 version&nbsp;<SPAN><SPAN class="">17.6</SPAN></SPAN></P><P>best regards</P> Thu, 18 Apr 2024 09:15:07 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072776#M1111409 mohammedalrawiib 2024-04-18T09:15:07Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072780#M1111410 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a> what commands did you configure? Provide the configuration.</P> <P>Did you use the command - <STRONG>no ip http secure-server </STRONG>to disable https server?</P> <P>You could also apply an ACL to restrict traffic to trusted sources, that would help mitigate the issue.</P> Thu, 18 Apr 2024 09:27:13 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072780#M1111410 Rob Ingram 2024-04-18T09:27:13Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072782#M1111411 <P>Yes i tried to use the command&nbsp;<STRONG>no ip http secure-server </STRONG>but the vulnerability remains in the scan report&nbsp;</P> Thu, 18 Apr 2024 09:29:34 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072782#M1111411 mohammedalrawiib 2024-04-18T09:29:34Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072786#M1111412 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a> with that command, https on the switch is disabled and should not respond.</P> <P>Are you sure a new scan was run after that command was configured?</P> <P>Provide your configuration</P> <P>&nbsp;</P> Thu, 18 Apr 2024 09:36:56 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5072786#M1111412 Rob Ingram 2024-04-18T09:36:56Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5073001#M1111417 <P>tried to scan 2 times and the vulnerability still remains is there anything i can try ?</P><P>can't provide configuration right now, will provide on Sunday&nbsp;</P><P>regards&nbsp;</P> Thu, 18 Apr 2024 12:38:23 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5073001#M1111417 mohammedalrawiib 2024-04-18T12:38:23Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5118512#M1113048 <P>Dears&nbsp;</P><P>after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know&nbsp;</P><P>best regards&nbsp;</P> Tue, 28 May 2024 12:53:11 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5118512#M1113048 mohammedalrawiib 2024-05-28T12:53:11Z