05-22-2024 11:45 AM
Hello,
Have the latest CML images discontinued the use of SHA-1 DH Key Exchanges?
I'm trying to utilize Ansible with my existing IOS-L2 images. It appears OpenSSL/SSH is no longer supporting SHA-1
Thank you,
Terry
05-22-2024 12:54 PM
If you are looking for CML router images that might support SHA1, older refplat ISOs are still available for download on both Software Central (for CML-E customers) and the Learning Network Store (for CML-P customers). Search through older CML 2.x versions for the refplats (1.x images are still even available on the Learning Network Store).
Once you have the ISO, you can extract the images you want to try and upload to CML as additional images for the existing node definitions. That is, you do not have to overwrite the latest (2.7) images to add ones from older ISOs.
05-22-2024 01:34 PM
Hello,
I'm looking for images that support the latest OpenSSL spec, that entails no support for SHA-1 KEXs. I was wondering if the latest CML images supported SHA-2 KEXs. It looks like the might given the IOS-XE version/s.
05-22-2024 03:12 PM
Sorry, misunderstood the question, but what you were asking was clear upon re-reading. I think this may be what you are looking for wrt ssh...
IOSv image from CML 2.7: 15.9(3)M8
iosv(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = key length = 160 bits)
hmac-sha1-96 HMAC-SHA1-96 (digest length = 96 bits, key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
IOL image from CML 2.7: 17.12.1
iol(config)#ip ssh server algorithm mac ?
hmac-sha1 HMAC-SHA1 (digest length = 160 bits,key length = 160 bits)
hmac-sha2-256 HMAC-SHA2-256 (digest length = 256 bits, key length = 256 bits)
hmac-sha2-256-etm@openssh.com HMAC-SHA2-256-ETM (digest length = 256 bits, key length = 256 bits)
hmac-sha2-512 HMAC-SHA2-512 (digest length = 512 bits, key length = 512 bits)
hmac-sha2-512-etm@openssh.com HMAC-SHA2-512-ETM (digest length = 512 bits, key length = 512 bits)
Can also check CSR1Kv and Cat8Kv, if that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide