Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10965
Views
0
Helpful
12
Replies

Disable SSH CBC mode cipher encryption and disable MD5 and 96-bit MAC algorithms in SSH on Cisco ASA

balamuruganmanavalan
Level 1
Level 1

‎08-12-2015 04:42 AM - edited ‎03-11-2019 11:24 PM

Hi all,

 

Want to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption and disable MD5 and 96-bit MAC algorithms

ASA version : 9.1.5(21)

Any idea.

 

Regards,

Bala

2 people had this problem
Labels:
0 Helpful
12 Replies 12

Karsten Iwen
VIP
VIP

‎08-12-2015 05:34 AM

You can't, the options are quite limited. But you can configure your SSH-clients not to negotiate weak ciphers.

0 Helpful

balamuruganmanavalan
Level 1
Level 1
In response to Karsten Iwen

‎08-12-2015 11:03 PM

Is any doc or cisco release notes stating that it is not possible?

 

Options are quite limited means?

0 Helpful

James Leinweber
Level 4
Level 4
In response to balamuruganmanavalan

‎08-13-2015 12:12 PM

If you want to use TLSv2 ciphersuites you are going to have to upgrade to 9.3 or higher; they aren't supported on earlier versions.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

balamuruganmanavalan
Level 1
Level 1
In response to James Leinweber

‎08-13-2015 08:32 PM

Is TLSv2 applicable for SSH also? confirm.

0 Helpful

Karsten Iwen
VIP
VIP
In response to balamuruganmanavalan

‎08-14-2015 12:01 AM

No, TLS 1.2 in ASA versions 9.3 and higher can be used with the actual AnyConnect client. But it's unrelated to SSH.

0 Helpful

balamuruganmanavalan
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2015 12:05 AM

Correct.

Is there any cisco doc or release note showing that no workaround in Cisco ASA for SSH vulnerability.

 

If limited possibilities are documented, at least share that link.

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to balamuruganmanavalan

‎08-14-2015 12:08 AM

All what you can do is documented in the config-guide.

0 Helpful

balamuruganmanavalan
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2015 03:30 AM

you are referring which config-guide. can you share the link?

0 Helpful

balamuruganmanavalan
Level 1
Level 1
In response to Karsten Iwen

‎08-14-2015 05:28 AM

If we enable SSH authentication, can we mitigate that vulnerability?

0 Helpful

Karsten Iwen
VIP
VIP
In response to balamuruganmanavalan

‎08-14-2015 05:51 AM

SSH always works with authentication. That's not related to the used ciphers.

0 Helpful

Karsten Iwen
VIP
VIP
In response to balamuruganmanavalan

‎08-14-2015 12:03 AM

To my knowledge it's not documented that it's not possible ... Only the limited possibilities are documented, and that's mainly that you can restrict SSH to version 2 and configure the DH to group14.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card