cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1631
Views
1
Helpful
3
Replies

Cisco Prime Infrastructure 3.1 "enable TLSv1.2 only"

mel-ghazali
Level 1
Level 1

Dears,

have any one tried to disable SSLv2, SSLv3 , TLSv1.0 and TLS1.1 and keep only TLS1.2

3 Replies 3

marce1000
VIP
VIP

 - Presumably, apache being used, you may change, httpd.conf,or ssl.conf,or httpd-ssl.conf (find the relevant file,containing ssl-directives) and use something as :

SSLProtocol all -SSLv2 -SSLv3 -Anyother-cipher-you-don't-want

Restart httpd afterwards, HOWEVER, prime may have the settings hard-coded in the daemon so I am not sure this will work.

Verify before and after with :

% nmap --script ssl-enum-ciphers -p 443 <host>


-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

marce1000
VIP
VIP

- Sorry my first reply may got garbled, so I try again :

 - Presumably, apache being used, you may change, httpd.conf,or ssl.conf,or httpd-ssl.conf (find the relevant file,containing ssl-directives) and use something as :

SSLProtocol All -SSLv2 --Anyother-ciphers-you-don't-want

Restart apache, prime ,however may have the settings hard-coded in the daemon, so I am not sure this will work;verify with :

% nmap --script ssl-enum-ciphers -p 443 <host>

M.



-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

Hi Marce
why cant it be changed with prime CLI instead?

tls-server-versions <tls_versions> - set the TLS versions to be enabled for TLS service  - TLSv1.2 TLSv1.1 TLSv1
tls-server-ciphers <tls_cipher_groups> - set the TLS cipher group to be enabled  for TLS service - tls-ecdhe-sha2 tls-ecdhe-sha1 tls-dhe-sha2 tls-dhe-sha1 tls-static-sha2 tls-static-sha1

Command Reference Guide for Cisco Prime Infrastructure 3.10 - Command Reference [Cisco Prime Infrastructure] - Cisco

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco