cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3067
Views
10
Helpful
1
Replies

Cisco Expressway version 14 Disable Certain Cipher

dryliciouz
Level 1
Level 1

Hi,

I would like to get advice from some expert here. We are deploying a Expressway in the environment and has already upgraded to the latest version X14. Before going live, a certain requirement is needed such as Penetration Test.

 

During the test it was discovered that certain cipher is enabled by default. We want to disable the weaker ciphers for administration because portal supports SHA1 ciphers and ciphers without Forward Secrecy, such as:

- ECDHE-RSA-AES128-SHA Curve P-521 DHE 521
- DHE-RSA-AES128-SHA DHE 4096 bits
- AES256-GCM-SHA384
- AES256-SHA256
- AES128-GCM-SHA256
- AES128-SHA256
- AES128-SHA

 

Any advice that will be helpful. Thanks

1 Reply 1

Have a look on 14 admin guide.

 

https://www.cisco.com/c/en/us/td/docs/voice_ip_comm/expressway/admin_guide/X14-0/exwy_b_cisco-expressway-administrator-guide/exwy_m_managing-security.html?bookSearch=true

 

 

Configuring Minimum TLS Version and Cipher Suites

The Maintenance > Security > Ciphers page is used to manage the minimum TLS version for services on Expressway, and their associated cipher suites.

 

 

Note

For improved security, TLS version 1.2 or later is recommended for all encrypted sessions.


Expressway defaults to TLS 1.2 when establishing secure connections for the following:

  • HTTPS

  • Certificate checker

  • Cisco Meeting Server discovery

  • SIP

  • XMPP

  • UC server discovery

  • Reverse proxy

  • LDAP

  • SMTP mail server

  • TMS Provisioning Service

Restart required in some cases

A restart is required after changing the cipher suite configuration or TLS protocol version for the following:

  • SIP

  • XCP

Minimum TLS Version

On upgrade of an existing system, the previous behavior and defaults persist so you won't be defaulted to TLS 1.2.

For new installations, check that all browsers and other equipment that must connect to Expressway support TLS 1.2.

If required--typically for compatibility reasons with legacy equipment--the minimum TLS versions can be configured per service to use versions 1.0 or 1.1.

Cipher Suites

You can configure the cipher suite and minimum supported TLS version for services on the Expressway. The cipher suites are shown in the table (cipher strings are in OpenSSL format):

For services where the Expressway can act as a client, such as HTTPS, the same minimum TLS version and cipher suites will be negotiated.

 

Services

Cipher Suite Values (Defaults)

HTTPS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

Reverse proxy TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

SIP TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:+ADH

UC server discovery TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

XMPP TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

LDAP TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

TMS TLS ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL

SMTP ciphers

EECDH:EDH:HIGH:-

AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL



Response Signature


Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: