Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1348
Views
0
Helpful
2
Replies

DCNM 10: disable https or change diffie-hellman group

abourges
Level 1
Level 1

‎06-17-2016 08:36 AM

Hi,

...we currently looking into DCNM-10 for a customer who's building a new datacenter. Focus will be on automation, where we want to program some stuff on top of DCNM REST API. We kind of successfully tested DCNM 7.2 and upgraded today to DCNM 10.

Problem: DCNM 10 comes with https-only Web-interface, but uses a very insecure Diffie-Hellman group for connection setup (768 bits). Unfortunately openssl, which is used by our python scripts, is not willing to set up a https connection based on the small DH group (needs at least 1024 bits I guess, recommends 2048).

openssl s_client shows:

bash# openssl s_client -connect localhost:8223 
CONNECTED(00000003) 
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown 
verify error:num=18:self signed certificate 
verify return:1 
depth=0 C = Unknown, ST = Unknown, L = Unknown, O = Unknown, OU = Unknown, CN = Unknown 
verify return:1 
140512820557464:error:14082174:SSL routines:ssl3_check_cert_and_algorithm:dh key too small:s3_clnt.c:3617: 

[...]

No client certificate CA names sent 
Peer signing digest: SHA512 
Server Temp Key: DH, 768 bits 
--- 
SSL handshake has read 1549 bytes and written 7 bytes 
[...]

python requests library gives us:

>>> resp = requests.post('https://localhost:8223/rest/logon', auth=('xxxx', 'xxxx'), data=json.dumps({'expirationTime': 1000000}), verify=False) 
Traceback (most recent call last): 
  File "<stdin>", line 1, in <module> 
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 111, in post 
    return request('post', url, data=data, json=json, **kwargs) 
  File "/usr/lib/python2.7/dist-packages/requests/api.py", line 57, in request 
    return session.request(method=method, url=url, **kwargs) 
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 475, in request 
    resp = self.send(prep, **send_kwargs) 
  File "/usr/lib/python2.7/dist-packages/requests/sessions.py", line 585, in send 
    r = adapter.send(request, **kwargs) 
  File "/usr/lib/python2.7/dist-packages/requests/adapters.py", line 477, in send 
    raise SSLError(e, request=request) 
requests.exceptions.SSLError: [SSL: SSL_NEGATIVE_LENGTH] dh key too small (_ssl.c:590)

For the moment, we could live without https and use plain http as we did with dcnm 7.2 - but it seems like it's not possible to change back to HTTP ?

Is there any possibility to either turn on http again or change the used dh group ?

Thanks,

Andreas

Labels:
0 Helpful
2 Replies 2

DrPepper1234
Level 1
Level 1

‎12-21-2016 02:54 AM

Did you find the way to disable https on the web GUI?

0 Helpful

abourges
Level 1
Level 1
In response to DrPepper1234

‎12-21-2016 03:12 AM

Hi,

...no - as far as I remember, there's no way to get back http only (info from a cisco guy).

regards,

Andreas

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card