cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1491
Views
20
Helpful
5
Replies

Expressway 12.7.1 remove/disable CBC ciphers for SSH

themizzz21
Level 1
Level 1

Hello,

A penetration test revieled that ssh on expressways have CBC mode ciphers enabled and they asked to disable this.

Pen test result: "We have managed to identify that the SSH server running on the remote host is configured to support Cipher Block Chaining (CBC) encryption."

Pen test recommendation: "You should disable the CBC mode cipher encryption and enable CTR or GCM cipher mode encryption instead."

 

The CLI command "xconfiguration // cipher" shows

xConfiguration Ciphers sshd_ciphers Value: "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"

 

Is there any CLI command that could disable the proposal of aes256-cbc ciphers

 

Thank you very much,

5 Replies 5

b.winter
VIP
VIP

I think, it's possible to edit (add, delete) the ciphers via GUI.

I currently don't have access to an EXP to give you the correct page-path.

 

But be careful when editing them. There maybe some interop issues to other systems then. Good advice is to take a backup first or note down the changes.

Hi,

The ssh page regarding ciphers is completely different  than the other protocols(https, sip etc).

As far as I can see there is no way to delete/disable ssh ciphers within gui.

 

Thanks.

 

But there is a different page for SSH configuration under "Maintenance" --> "Security" --> "SSH Configuration":

 

scree.JPG

The 12.7.1 version has no "Remote Access Configuration"

ssh02.jpg

 

 

 

 

 

 

 

 

 

 

 

 

 

What is your version?

 

Thank you.

I'm on a version X14.0.5