10-11-2020 09:17 PM
I've recently started getting complaints of weak ciphers from latest browser versions when connecting to SSL VPN via the c1941 ISR. I'm running a version of IOS that hasn't been updated for a while:
c1900-universalk9-mz.SPA.154-3.M3.bin
I see there's a recommended version:
c1900-universalk9-mz.SPA.157-3.M7.bin
Does this recommended version support TLS1.3? I'm seeking to get a little more life out of the unit before forking some extra $$ to get whatever latest one I can find.
10-12-2020 12:06 AM
- Check with :
% nmap --script ssl-enum-ciphers -p 443 router
M.
10-12-2020 05:02 AM - edited 10-12-2020 05:07 AM
Thanks for that command - learnt something new.
Unfortunately, I do not have the latest version yet. The question was to help me gauge whether it was worth it to invest in the latest firmware by renewing my entitlement. Not knowing how long TLS v1.2 will be useful for, I'd rather save the $$ and invest in a newer router.
EDIT:
That command on my current firmware gives this output:
$ nmap --script ssl-enum-ciphers -p 443 10.11.12.13
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-12 23:03 AEDT
Nmap scan report for 10.11.12.13
Host is up (0.012s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A
| compressors:
| NULL
| cipher preference: indeterminate
| cipher preference error: Too few ciphers supported
| warnings:
| Key exchange (dh 1024) of lower strength than certificate key
|_ least strength: A
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide