Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5588
Views
10
Helpful
9
Replies

Expressway Weak Cipher change 8.11

Amer rajai Sha'er
Level 7
Level 7

‎09-05-2018 01:40 AM

Hello,

 

I need to change the cipher on the Expressway from weak to high, but i am not sure how the formula works on Expressway, currently i have this (which is the default except for the TLS):

Cipher.JPG

Can anyone please advise how to play with the ciphers and how to increase it?

 

Many thanks

Amer

0 Helpful
9 Replies 9

Amer rajai Sha'er
Level 7
Level 7

‎09-06-2018 05:40 AM

No One have a clue about this, wow...

0 Helpful

JFerello
Level 1
Level 1

‎09-06-2018 06:33 AM

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Did you even run any security software against this box?  It appears from the list you have that everything is already off weak ciphers.

Thanks,
Justin Ferello
0 Helpful

Amer rajai Sha'er
Level 7
Level 7
In response to JFerello

‎09-06-2018 06:38 AM

Hello Justin,

 

yes i did ran a scan, only one appeared on both Expressway E and C:

 

SSL Medium Strength Cipher Suites Supported Port 5061

 

So if i edit the below on the SIP cipher it should remove the above vuln?

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Thanks

Amer

 

0 Helpful

JFerello
Level 1
Level 1
In response to Amer rajai Sha'er

‎09-06-2018 06:45 AM

I would just add !3DES: to the "SIP TLS ciphers" line, at the beginning; then reboot the VCS and scan it again.
Thanks,
Justin Ferello

Amer rajai Sha'er
Level 7
Level 7
In response to JFerello

‎09-06-2018 06:47 AM

Thank you Justin, will test it next week and get back to you.

0 Helpful

albertoariasc
Level 1
Level 1
In response to Amer rajai Sha'er

‎10-22-2018 07:27 AM


Hello, I have the same inconvenience I want to know how you solved it. Thanks
0 Helpful

jonathan.salter
Level 3
Level 3
In response to JFerello

‎09-07-2018 09:13 AM

@JFerello wrote:

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

What version was this on?

I do know that command is not applicable for 8.10

 

Please remember to rate useful posts, click on the stars below.
0 Helpful

JFerello
Level 1
Level 1
In response to jonathan.salter

‎09-07-2018 09:19 AM

It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.
Thanks,
Justin Ferello
0 Helpful

jonathan.salter
Level 3
Level 3
In response to JFerello

‎09-07-2018 10:19 AM

@JFerello wrote:
It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.

Maybe I should have said "statement", but in any case it will not work with 8.10.

Here is my summary from my adventure!

 

FOR x8.10 VERSION :

==============================

>> TLS/SSL Server is enabling the BEAST attack is a FALSE ALARM  

 

>> Diffie-Hellman group smaller than 2048 bits is also a false alarm.

 

>> TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

Successfully run below command :

xConfiguration SIP Advanced SipTlsVersions: "TLSv1.2"

 

>> These TWO commands are not applicable for x8.10. Checked on Lab device as well.

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:!RC4:@STRENGTH:+ADH"

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:-RC4:@STRENGTH:+ADH"

Please remember to rate useful posts, click on the stars below.
Customers Also Viewed These Support Documents