cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
36351
Views
0
Helpful
4
Replies

disable diffie-hellman-group1-sha1 Cisco 2811 Os v.12.4(24)T2

oscar.martin1
Level 1
Level 1

Is it possible disable diffie-hellman-group1-sha1 in a Cisco 2811 Os v.12.4(24)T2 router?

I put this command:

> ip ssh dh min size 2048

for 2048 bits, but in security scanning says that it permits:

| kex_algorithms: (3)

| diffie-hellman-group-exchange-sha1
| diffie-hellman-group14-sha1
| diffie-hellman-group1-sha1

So no pass security certification. For Cisco ASA there is a command like this:

> no ssh ssh key-exchange {dh-group1 ........

But I need for a Cisco 2811 router, and doesn't exist that command. Also I've tried:

> no ip ssh dh min size 1024

but I  don't achieve the desired result.

Thanks,

Oscar

Gracias

Oscar

4 Replies 4

Philip D'Ath
VIP Alumni
VIP Alumni

I don't believe you can prevent it from showing that up.

However the "ip ssh dh min size 2048" should prevent the use of diffie-hellman-group-exchange-sha1.  If you can verify this then you have complied, just the scan is giving a false positive.