Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5239
Views
10
Helpful
9
Replies

Expressway Weak Cipher change 8.11

Amer rajai Sha'er
Level 7
Level 7

‎09-05-2018 01:40 AM

Hello,

 

I need to change the cipher on the Expressway from weak to high, but i am not sure how the formula works on Expressway, currently i have this (which is the default except for the TLS):

Cipher.JPG

Can anyone please advise how to play with the ciphers and how to increase it?

 

Many thanks

Amer

0 Helpful
9 Replies 9

Amer rajai Sha'er
Level 7
Level 7

‎09-06-2018 05:40 AM

No One have a clue about this, wow...

0 Helpful

JFerello
Level 1
Level 1

‎09-06-2018 06:33 AM

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Did you even run any security software against this box?  It appears from the list you have that everything is already off weak ciphers.

Thanks,
Justin Ferello
0 Helpful

Amer rajai Sha'er
Level 7
Level 7
In response to JFerello

‎09-06-2018 06:38 AM

Hello Justin,

 

yes i did ran a scan, only one appeared on both Expressway E and C:

 

SSL Medium Strength Cipher Suites Supported Port 5061

 

So if i edit the below on the SIP cipher it should remove the above vuln?

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Thanks

Amer

 

0 Helpful

JFerello
Level 1
Level 1
In response to Amer rajai Sha'er

‎09-06-2018 06:45 AM

I would just add !3DES: to the "SIP TLS ciphers" line, at the beginning; then reboot the VCS and scan it again.
Thanks,
Justin Ferello

Amer rajai Sha'er
Level 7
Level 7
In response to JFerello

‎09-06-2018 06:47 AM

Thank you Justin, will test it next week and get back to you.

0 Helpful

albertoariasc
Level 1
Level 1
In response to Amer rajai Sha'er

‎10-22-2018 07:27 AM


Hello, I have the same inconvenience I want to know how you solved it. Thanks
0 Helpful

jonathan.salter
Level 3
Level 3
In response to JFerello

‎09-07-2018 09:13 AM

@JFerello wrote:

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

What version was this on?

I do know that command is not applicable for 8.10

 

Please remember to rate useful posts, click on the stars below.
0 Helpful

JFerello
Level 1
Level 1
In response to jonathan.salter

‎09-07-2018 09:19 AM

It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.
Thanks,
Justin Ferello
0 Helpful

jonathan.salter
Level 3
Level 3
In response to JFerello

‎09-07-2018 10:19 AM

@JFerello wrote:
It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.

Maybe I should have said "statement", but in any case it will not work with 8.10.

Here is my summary from my adventure!

 

FOR x8.10 VERSION :

==============================

>> TLS/SSL Server is enabling the BEAST attack is a FALSE ALARM  

 

>> Diffie-Hellman group smaller than 2048 bits is also a false alarm.

 

>> TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

Successfully run below command :

xConfiguration SIP Advanced SipTlsVersions: "TLSv1.2"

 

>> These TWO commands are not applicable for x8.10. Checked on Lab device as well.

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:!RC4:@STRENGTH:+ADH"

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:-RC4:@STRENGTH:+ADH"

Please remember to rate useful posts, click on the stars below.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents