https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075243#M1111517 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a> you asked this question is a separate thread last week: <A href="https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776" target="_blank">https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776</A></P> <P>At that time you said you were going to provide the running config but you have not yet done so.</P> Mon, 22 Apr 2024 13:35:24 GMT Marvin Rhoads 2024-04-22T13:35:24Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5074909#M1111504 <P>Hi&nbsp;</P><P>I hope your doing well&nbsp;</P><P>in our network infrastructure&nbsp; where we have Qualys to scan for vulnerabilities i can't find a solution for this certain vulnerability here are the details :</P><P>Weak SSL/TLS Key Exchange&nbsp;</P><P>impact an attacker with access to sufficient computational power might be able to recover the session key and decrypt session content&nbsp;</P><P>i have tried the suggested solution from both community cisco but when we i scan again the vulnerability remains the same , the solution that i have tried is to disable SSL/TLS on the switches after scanning it still shows the same vulnerability ,also i have tried to configure the cipher suite with AES 256 the vulnerability remains the same .</P><P>the following commands were executed&nbsp;</P><P><STRONG>no ip http secure-server&nbsp;</STRONG></P><P>&nbsp;</P><P>&nbsp;</P><P>the switch we have is cisco 9200 version&nbsp;<SPAN><SPAN class="">17.6</SPAN></SPAN></P><P><SPAN><SPAN class="">regards</SPAN></SPAN></P> Mon, 22 Apr 2024 05:58:45 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5074909#M1111504 mohammedalrawiib 2024-04-22T05:58:45Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5074925#M1111506 <P><SPAN>Hello <a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a>&nbsp;</SPAN></P><P><SPAN>Configuration changes might require a reboot to take effect. Reboot the switch and re-scan to verify if the vulnerability persists.</SPAN></P><P><SPAN>Determine if there are other interfaces or modules on the switch that might be using SSL/TLS.</SPAN></P><P><SPAN>will you share the output of&nbsp; "show running-config".</SPAN></P><P><SPAN>&gt;_&lt;</SPAN></P> Mon, 22 Apr 2024 06:26:24 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5074925#M1111506 Kumaresan Ravichandran 2024-04-22T06:26:24Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075049#M1111507 <P>hello&nbsp;</P><P>i can't reboot this will take our service down , i tried to enable it again they said it would remove it this is the config&nbsp;</P><P>ip forward-protocol nd<BR />no ip http server<BR />ip http authentication local<BR />no ip http secure-server<BR />ip http secure-ciphersuite aes-256-cbc-sha<BR />ip http tls-version&nbsp;TLSv1.2</P> Mon, 22 Apr 2024 08:39:09 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075049#M1111507 mohammedalrawiib 2024-04-22T08:39:09Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075201#M1111514 <P>Hello&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a>&nbsp;</P><P><SPAN>When dealing with SSL/TLS vulnerabilities, particularly those related to key exchange, it can be frustrating when the recommended solutions don't seem to resolve the issue.&nbsp;</SPAN><SPAN>If your goal is to mitigate the "Weak SSL/TLS Key Exchange" vulnerability, these commands can help ensure secure configurations. Then it is resolved right ?</SPAN></P><P><SPAN>I hope this helps resolve your vulnerability issue. If it is ok then mark your post to solved category.</SPAN></P><P><SPAN>Rate it too.</SPAN></P><P><SPAN>&gt;_&lt;</SPAN></P> Mon, 22 Apr 2024 12:33:07 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075201#M1111514 Kumaresan Ravichandran 2024-04-22T12:33:07Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075243#M1111517 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/1657352">@mohammedalrawiib</a> you asked this question is a separate thread last week: <A href="https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776" target="_blank">https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/td-p/5072776</A></P> <P>At that time you said you were going to provide the running config but you have not yet done so.</P> Mon, 22 Apr 2024 13:35:24 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5075243#M1111517 Marvin Rhoads 2024-04-22T13:35:24Z https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5118513#M1113049 <P>Dears&nbsp;</P><P>after a while we changed the ssh port number (default is 22) to another port also we blocked 22 port then the vulnerability was removed this is the solution that we found if you have any other solution please let us know.</P><P>best regards&nbsp;</P> Tue, 28 May 2024 12:53:35 GMT https://community.cisco.com/t5/network-security/weak-ssl-tls-key-exchange/m-p/5118513#M1113049 mohammedalrawiib 2024-05-28T12:53:35Z