Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5535
Views
2
Helpful
2
Replies

Configure TLS in Cisco Switch

Sagar4
Level 1
Level 1

‎02-03-2024 07:24 AM

I want to change TLS version in Cisco switch C2960X-48TS-L. The firmware version installed is c2960x-universalk9-mz.152-7.E9.bin.

Please guide me how to check current TLS version and how to disable and enable particular TLS version.

Labels:
0 Helpful
2 Replies 2

Ruben Cocheno
Spotlight

‎02-03-2024 08:57 AM

@Sagar4 

Jump on config mode

 

Check Ciphers available 

sh ip http server all       

HTTP server status: Disabled
HTTP server port: 80
HTTP server authentication method: local
HTTP server access class: 0
HTTP server base path: flash:/c2960x-universalk9-mz.152-4.E8/html
HTTP server help root:
Maximum number of concurrent server connections allowed: 16
Maximum number of secondary server connections allowed: 5
Server idle time-out: 180 seconds
Server life time-out: 180 seconds
Server session idle time-out: 180 seconds
Maximum number of requests allowed on a connection: 25
HTTP server active session modules: ALL
HTTP secure server capability: Present
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite:  dhe-aes-128-cbc-sha dhe-aes-256-cbc-sha
        edche-rsa-aes-256-cbc-sha edche-rsa-rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

Viewing available current cipher suites

 

ip http secure-ciphersuite ?


  aes-128-cbc-sha            Encryption type tls_rsa_with_aes_cbc_128_sha
                             ciphersuite
  aes-256-cbc-sha            Encryption type tls_rsa_with_aes_cbc_256_sha
                             ciphersuite
  dhe-aes-128-cbc-sha        Encryption type tls_dhe_rsa_with_aes_128_cbc_sha
                             ciphersuite
  dhe-aes-256-cbc-sha        Encryption type tls_dhe_rsa_with_aes_256_cbc_sha
                             ciphersuite
  edche-rsa-aes-256-cbc-sha  Encryption type tls_ecdhe_rsa_aes_256_cbc_sha
                             ciphersuite
  edche-rsa-rc4-128-sha      Encryption type tls_ecdhe_rsa_rc4_128_sha
                             ciphersuite
  null-sha                   Encryption type tls_rsa_with_null_sha ciphersuite



To verify what was being offered by the switch I ran the nmap ssl-cert and ciphers script.

sudo nmap --script ssl-cert,ssl-enum-ciphers -p 443 192.168.10.31

Enable only secure ciphers

test(config)#ip http secure-ciphersuite edche-rsa-aes-256-cbc-sha aes-256-cbc-sha
test(config)#ip http tls-version ?

  TLSv1.0  Set TLSv1.0 version Only
  TLSv1.1  Set TLSv1.1 version Only
  TLSv1.2  Set TLSv1.2 version Only

 

test(config)#ip http tls-version tlsv1.2

To verify, you run the nmap ssl-cert and ciphers scripts. This time only TLS 1.2 is enabled.

sudo nmap --script ssl-cert,ssl-enum-ciphers -p 443 switch-ip

 

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

liviu.gheorghe
VIP
VIP

‎02-03-2024 09:17 AM

Hello @Sagar4 ,

Check TLS version on the switch with the following commands:

show ip http client all

show ip http server status

You can change TLS version used by switch with the following commands:

Device(config)#ip http client tls-version <TLS version>

Device(config)#ip http tls-version <TLS version>

Regards, LG
*** Please Rate All Helpful Responses ***
Customers Also Viewed These Support Documents
Top