Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
197
Views
0
Helpful
3
Replies

CML Images Support for Recent non-SHA1 DH Keys

zachartl
Level 1
Level 1

‎05-22-2024 11:45 AM

Hello,

Have the latest CML images discontinued the use of SHA-1 DH Key Exchanges? 

I'm trying to utilize Ansible with my existing IOS-L2 images. It appears OpenSSL/SSH is no longer supporting SHA-1

Thank you,

Terry

Labels:
0 Helpful
3 Replies 3

Ramblin Tech
Spotlight
Spotlight

‎05-22-2024 12:54 PM

If you are looking for CML router images that might support SHA1, older refplat ISOs are still available for download on both Software Central (for CML-E customers) and the Learning Network Store (for CML-P customers). Search through older CML 2.x versions for the refplats (1.x images are still even available on the Learning Network Store).

Once you have the ISO, you can extract the images you want to try and upload to CML as additional images for the existing node definitions. That is, you do not have to overwrite the latest (2.7) images to add ones from older ISOs.

Disclaimer: I am long in CSCO
0 Helpful

zachartl
Level 1
Level 1
In response to Ramblin Tech

‎05-22-2024 01:34 PM

Hello,

I'm looking for images that support the latest OpenSSL spec, that entails no support for SHA-1 KEXs. I was wondering if the latest CML images supported SHA-2 KEXs. It looks like the might given the IOS-XE version/s.

0 Helpful

Ramblin Tech
Spotlight
Spotlight
In response to zachartl

‎05-22-2024 03:12 PM

Sorry, misunderstood the question, but what you were asking was clear upon re-reading. I think this may be what you are looking for wrt ssh...

IOSv image from CML 2.7: 15.9(3)M8

iosv(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)

 

IOL image from CML 2.7: 17.12.1

iol(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits)

Can also check CSR1Kv and Cat8Kv, if that helps.

Disclaimer: I am long in CSCO
0 Helpful
Customers Also Viewed These Support Documents