cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4274
Views
0
Helpful
7
Replies

How do I disable SSL 2 and 3 on APICs

Heino Human
Level 1
Level 1

Hi guys, 

 

I just upgraded our ACI infrastructure from 3.2 to 4.2. Now our security scan system within our network has alarmed stating 
"The remote service accepts connections encrypted using SSL 2.0 and/or SSL 3.0" 

 

How would I disable this in the APICs? 

 

Thank you

Heino 

1 Accepted Solution

Accepted Solutions

Heino Human
Level 1
Level 1

Hi guys, 

 

For anyone else who might run into this issue. With version 4.2 Cisco has opened port 8989 to the OOB mgmt network. 

 

Once I created a filter to block traffic to the OOB mgmt network on port 8989, our security scans failed to see the open port. 

View solution in original post

7 Replies 7

Marcel Zehnder
Spotlight
Spotlight

Hi Heino

 

You'll find the SSL protocol config in the GUI at Fabric --> Fabric Policies --> Policies --> Pod --> Management Access --> default

 

HTH

Marcel

hi Marcel, 

 

Yes, I have looked there, but there is no option to enable/disable SSLv2 or 3. 

I have raised a TAC case for this and just waiting on our Cyber ops team to provide their details to TAC on how they found the APICs responding to these services. 

 

Thank you

Heino 

Indeed SSLv2/v3 must be disabled. Are you sure your scanner isn't reporting a false positive? Are you scanning port 443 or is this alarm for another port on the APIC?

Robert Burns
Cisco Employee
Cisco Employee

What scanning tool is your security team using?  Nessus?

Robert

Yes, that is one of them. 

I should mention, this is only on port 8989 for SSLv2 and 3. 

I have raised a case with Cisco TAC on this. I can't find any documentation related to it anywhere. Once I get an update, I will share it here. 

I did run netstat command on the APICs and there are no communication on port 8989. 

Heino Human
Level 1
Level 1

Hi guys, 

 

For anyone else who might run into this issue. With version 4.2 Cisco has opened port 8989 to the OOB mgmt network. 

 

Once I created a filter to block traffic to the OOB mgmt network on port 8989, our security scans failed to see the open port. 

hi!!!

 

Heino how do you block the traffic to OOB network on port 8989? with taboo contract or OOB contract?

 

Regards!!!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Save 25% on Day-2 Operations Add-On License