cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Walkthrough Wednesdays
3466
Views
10
Helpful
9
Replies
Amer rajai Sha'er
Rising star

Expressway Weak Cipher change 8.11

Hello,

 

I need to change the cipher on the Expressway from weak to high, but i am not sure how the formula works on Expressway, currently i have this (which is the default except for the TLS):

Cipher.JPG

Can anyone please advise how to play with the ciphers and how to increase it?

 

Many thanks

Amer

9 REPLIES 9
Amer rajai Sha'er
Rising star

No One have a clue about this, wow...

JFerello
Beginner

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Did you even run any security software against this box?  It appears from the list you have that everything is already off weak ciphers.

Thanks,
Justin Ferello

Hello Justin,

 

yes i did ran a scan, only one appeared on both Expressway E and C:

 

SSL Medium Strength Cipher Suites Supported Port 5061

 

So if i edit the below on the SIP cipher it should remove the above vuln?

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

Thanks

Amer

 

I would just add !3DES: to the "SIP TLS ciphers" line, at the beginning; then reboot the VCS and scan it again.
Thanks,
Justin Ferello

Thank you Justin, will test it next week and get back to you.


Hello, I have the same inconvenience I want to know how you solved it. Thanks


@JFerello wrote:

The following list "should" disable weak ciphers:

ALL:!EXP:!LOW:!MD5:!RC4:@STRENGTH:+ADH

 

What version was this on?

I do know that command is not applicable for 8.10


 

Please remember to rate useful posts, click on the stars below.

It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.
Thanks,
Justin Ferello


@JFerello wrote:
It is not a command, it is a list of ciphers to enable or disable; if you look at his screenshot above.

Maybe I should have said "statement", but in any case it will not work with 8.10.

Here is my summary from my adventure!

 

FOR x8.10 VERSION :

==============================

>> TLS/SSL Server is enabling the BEAST attack is a FALSE ALARM  

 

>> Diffie-Hellman group smaller than 2048 bits is also a false alarm.

 

>> TLS/SSL Birthday attacks on 64-bit block ciphers (SWEET32)

Successfully run below command :

xConfiguration SIP Advanced SipTlsVersions: "TLSv1.2"

 

>> These TWO commands are not applicable for x8.10. Checked on Lab device as well.

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:!RC4:@STRENGTH:+ADH"

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:-RC4:@STRENGTH:+ADH"

Please remember to rate useful posts, click on the stars below.
Content for Community-Ad

Spotlight Awards 2021