Solved: 2960X weak diffie-hellman ciphers

bigkeoni64 · ‎09-27-2022

Hello

I have a few 2960x switches on the network with 15.2.7.E5 code and we have internal scanners that are calling out the diffie-hellman 'kex' as weak ciphers and should be disabled.

It appears that these DH cipher's are the only ones available for this platform and cannot be removed. I'd assume if they were removed that SSH would not work either.

TAC is saying that these are the only ones available for this platform. Has anyone else run up against trying to remove the DH from the #ip ssh server algo kex ?

Thank you

Rob Ingram · ‎09-27-2022

@bigkeoni64 if those are the only supported ciphers on the 2960X switches then you cannot change it. You could mitigate the issue on those switches by defining an ACL to restrict SSH access from trusted hosts/networks, denying all other connection attempts...therefore reducing the risk. Other than that, you'd have to replace the switches with newer Catalyst 9200/9300s switches that would support the strongest/most secure ciphers.

View solution in original post

Rob Ingram · ‎09-27-2022

@bigkeoni64 if those are the only supported ciphers on the 2960X switches then you cannot change it. You could mitigate the issue on those switches by defining an ACL to restrict SSH access from trusted hosts/networks, denying all other connection attempts...therefore reducing the risk. Other than that, you'd have to replace the switches with newer Catalyst 9200/9300s switches that would support the strongest/most secure ciphers.