02-13-2023 12:46 PM
Hi There is security vulnerability issue on C9300 sw due to TLS version. Is there a command to disable TLS version 1.1 and 1.0? Thanks
Solved! Go to Solution.
02-14-2023 03:00 AM
(config)#ip http tls-version tlsv1.2
(config)#ip http tls-version ?
TLSv1.0 Set TLSv1.0 version Only
TLSv1.1 Set TLSv1.1 version Only
TLSv1.2 Set TLSv1.2 version Only
(config)#ip http secure-ciphersuite ?
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
edche-rsa-aes-256-cbc-sha Encryption type tls_ecdhe_rsa_aes_256_cbc_sha ciphersuite
• HTTPS Server command -- By default, it supports three versions. If you want to use a particular
version for the sessions, you can specify by configuring the ip http tls-version command in global
configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
• HTTPS Client command -- By default, it supports three versions. If you want to use a particular
version for the sessions, you can specify by configuring the ip http client tls-version command
in global configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
02-13-2023 01:06 PM
use strong ciphers and ssh ver 2
02-13-2023 01:38 PM - edited 02-13-2023 01:38 PM
Thanks for your reply. the switch use TLS, we need to disable lower version v1.1
PSW#sh ip http server all | i TLS
HTTP secure server TLS version: TLSv1.2 TLSv1.1
02-14-2023 03:00 AM
(config)#ip http tls-version tlsv1.2
(config)#ip http tls-version ?
TLSv1.0 Set TLSv1.0 version Only
TLSv1.1 Set TLSv1.1 version Only
TLSv1.2 Set TLSv1.2 version Only
(config)#ip http secure-ciphersuite ?
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
edche-rsa-aes-256-cbc-sha Encryption type tls_ecdhe_rsa_aes_256_cbc_sha ciphersuite
• HTTPS Server command -- By default, it supports three versions. If you want to use a particular
version for the sessions, you can specify by configuring the ip http tls-version command in global
configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
• HTTPS Client command -- By default, it supports three versions. If you want to use a particular
version for the sessions, you can specify by configuring the ip http client tls-version command
in global configuration mode. The versions are TLSv1.0, TLSv1.1, and TLSv1.2.
02-14-2023 07:02 AM
Very good explanation! Thank you!
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide