Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4774
Views
0
Helpful
7
Replies

How do I disable SSL 2 and 3 on APICs

Go to solution
Heino Human
Level 1
Level 1

‎02-14-2021 03:26 PM

Hi guys, 

 

I just upgraded our ACI infrastructure from 3.2 to 4.2. Now our security scan system within our network has alarmed stating 
"The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0" 

 

How would I disable this in the APICs? 

 

Thank you

Heino 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Heino Human
Level 1
Level 1

‎03-21-2021 04:56 PM

Hi guys, 

 

For anyone else who might run into this issue. With version 4.2 Cisco has opened port 8989 to the OOB mgmt network. 

 

Once I created a filter to block traffic to the OOB mgmt network on port 8989, our security scans failed to see the open port. 

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Marcel Zehnder
Spotlight
Spotlight

‎02-21-2021 09:40 AM

Hi Heino

 

You'll find the SSL protocol config in the GUI at Fabric --> Fabric Policies --> Policies --> Pod --> Management Access --> default

 

HTH

Marcel

0 Helpful

Go to solution
Heino Human
Level 1
Level 1
In response to Marcel Zehnder

‎02-22-2021 03:15 PM

hi Marcel, 

 

Yes, I have looked there, but there is no option to enable/disable SSLv2 or 3. 

I have raised a TAC case for this and just waiting on our Cyber ops team to provide their details to TAC on how they found the APICs responding to these services. 

 

Thank you

Heino 

0 Helpful

Go to solution
Marcel Zehnder
Spotlight
Spotlight
In response to Heino Human

‎02-22-2021 10:28 PM

Indeed SSLv2/v3 must be disabled. Are you sure your scanner isn't reporting a false positive? Are you scanning port 443 or is this alarm for another port on the APIC?

0 Helpful

Go to solution
Robert Burns
Cisco Employee
Cisco Employee

‎02-23-2021 05:26 AM

What scanning tool is your security team using?  Nessus?

Robert

0 Helpful

Go to solution
Heino Human
Level 1
Level 1
In response to Robert Burns

‎03-08-2021 06:43 PM

Yes, that is one of them. 

I should mention, this is only on port 8989 for SSLv2 and 3. 

I have raised a case with Cisco TAC on this. I can't find any documentation related to it anywhere. Once I get an update, I will share it here. 

I did run netstat command on the APICs and there are no communication on port 8989. 

0 Helpful

Go to solution
Heino Human
Level 1
Level 1

‎03-21-2021 04:56 PM

Hi guys, 

 

For anyone else who might run into this issue. With version 4.2 Cisco has opened port 8989 to the OOB mgmt network. 

 

Once I created a filter to block traffic to the OOB mgmt network on port 8989, our security scans failed to see the open port. 

0 Helpful

Go to solution
Luis Jimenez
Level 1
Level 1
In response to Heino Human

‎04-28-2022 07:14 PM

hi!!!

 

Heino how do you block the traffic to OOB network on port 8989? with taboo contract or OOB contract?

 

Regards!!!

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License