09-27-2012 12:20 AM
Hi All,
I’m performing a new deployment for my customer on a C370 Ironport and my customer has an internal team performing a band test on the Ironport box. The results show that the management traffic (HTTPS) is only using medium strength traffic (56bits – 112bits) in which does not meet the compliance of the organization. From the knowledge base, I checked that our management traffic is using either RC4-SHA or RC4-MD5. Any way to change this to AES or 3DES?
Besides that, in the band test, customer also notices that the box supports anonymous SSL ciphers. Any way to disable this?
Thanks.
10-02-2012 03:48 AM
Hi there,
check out these articles:
Article #1399: How can I alter what ciphers are used with the Graphical User Interface (GUI)? Can I disable SSL v2 for the GUI? Link: http://tools.cisco.com/squish/80676
Article #1367: How do I prevent the IronPort appliance from negotiating null or anonymous ciphers? Link: http://tools.cisco.com/squish/3637E
So to exclude low and anonymous ciphers, sompthing like this would apply:
HIGH:MEDIUM:-SSLv2:-aNULL:@STRENGTH
Hope that helps,
Andreas
10-02-2012 07:18 AM
Hi Andreas,
Is there any possibility to apply these for the management interface (GUI) too? Thanks.
Regards,
Dennis Goh
10-08-2012 06:57 AM
Hi Dennis,
the articles mentioned are valid for the GUI as well, simply use sslconfig as described, and when asked:
Enter the GUI HTTPS ssl cipher you want to use.
you copy/paste the ciphers.
Hope that helps,
Andreas
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide