Re: CPI 3.10 crypto policies

pfbkfrankfurt · ‎01-17-2022

Hello everbody,

i have a question about CPI. Does CPI 3.10 support the following Crypto policies.

Or is there a document where I can read about it. Thanks a lot.

NTP:

- SHA(2)-256 / 2026

- SHA(1) / 2022

SSHv2:

- Diffie-hellman-group15-exchange-sha512 / 2026+

- AES256/CTR/2026+

- SHA(2) 512 Bit / 2026+

- SHA(2) 256 Bit / 2026+

- Pgp-sign-dss/2000Bit/2022

- Pgp-sign-dss/250Bit/2022

- Ecda-sha2-nistp384/250Bit/2026+

- Ecda-sha2-nistp512/250Bit/2026+

- X509v3-ecdsa-sha2-nistp256/250Bit/2026+

SNMPv3:

- SHA(2)-224 usmHMAC128SHA224AuthProtocol/2026+

- SHA(2)-256 usmHMAC256SHA224AuthProtocol/2026+

- SHA(2)-384 usmHMAC384SHA224AuthProtocol/2026+

- SHA(2)-512 usmHMAC3512SHA224AuthProtocol/2026+

- AES256/CBC/2026+

marce1000 · ‎01-17-2022

- Not a complete answer but nmap probing can usually disclose some items you are looking for :

NTP : the command below may disclose the ntp version and then a documentation lookup could for instance list of the mentioned ciphers are supported or not.

nmap -sU -p 123 --script ntp-info cisco-prime

SSH :

nmap --script ssh2-enum-algos cisco-prime

SSL (example) :

nmap -sV --script ssl-enum-ciphers -p 443 cisco-prime

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

pfbkfrankfurt · ‎01-19-2022

Hello M.

thanks for the tip, the nmap result also answered some of the questions but not all.

i will try to answer the complete questions about a cisco tac case.

best regrads

B.