Does the latest IOS for the c1941 ISR support TLS v1.3?

akamau2766 · ‎10-11-2020

I've recently started getting complaints of weak ciphers from latest browser versions when connecting to SSL VPN via the c1941 ISR. I'm running a version of IOS that hasn't been updated for a while:
c1900-universalk9-mz.SPA.154-3.M3.bin

I see there's a recommended version:
c1900-universalk9-mz.SPA.157-3.M7.bin

Does this recommended version support TLS1.3? I'm seeking to get a little more life out of the unit before forking some extra $$ to get whatever latest one I can find.

marce1000 · ‎10-12-2020

- Check with :

% nmap --script ssl-enum-ciphers -p 443 router

M.

-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '

akamau2766 · ‎10-12-2020

Thanks for that command - learnt something new.

Unfortunately, I do not have the latest version yet. The question was to help me gauge whether it was worth it to invest in the latest firmware by renewing my entitlement. Not knowing how long TLS v1.2 will be useful for, I'd rather save the $$ and invest in a newer router.

EDIT:

That command on my current firmware gives this output:

$ nmap --script ssl-enum-ciphers -p 443 10.11.12.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 23:03 AEDT
Nmap scan report for 10.11.12.13
Host is up (0.012s latency).

PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers: 
|   TLSv1.0: 
|     ciphers: 
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
|     compressors: 
|       NULL
|     cipher preference: indeterminate
|     cipher preference error: Too few ciphers supported
|     warnings: 
|       Key exchange (dh 1024) of lower strength than certificate key
|_  least strength: A