Solved: SFTP cyphers

csarrazi · ‎08-14-2017

Hi team,

We have a Customer that would like to know if we updated the SFTP cyphers since ISE 2.O, they woulf like to use aeS256-ctr and ISE 2.0 does not support it :

Jul 21 09:43:08 lxpr540a sshd[4359]: fatal: no matching cipher found: client aes256-cbc,aes128-cbc,aes128-gcm@openssh.com,aes256-gcm@openssh.com server aes128-ctr,aes192-ctr,aes256-ctr

I found this doc but it was not updated since 2.0 : ISE Security Best Practices (Hardening)

the security team refuse to use AES-CBC due to a vulnerability "http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf"

Please could you tell me if we now support AES-CTR for SFTP ?

regards

Christophe

Timothy Abbott · ‎08-14-2017

Hi,

Based on my research, we currently don't support that cipher. We do have an enhancement request in for it.

Regards,

-Tim

View solution in original post

M. Wisely · ‎08-14-2017

There is a bug CSCux88538 that was logged as an enhancement for ISE 1.4 to support the aes-ctr ciphers but that is still open. May be worth logging a support call with Cisco.

Timothy Abbott · ‎08-14-2017

Hi,

Based on my research, we currently don't support that cipher. We do have an enhancement request in for it.

Regards,

-Tim

csco11552159 · ‎08-14-2017

we had same problem when we tried to setup SFTP. Then we have to change the cipher to cbc till the ISE supports .........