cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3088
Views
5
Helpful
7
Replies

Disabling TLS v1.1 at sw - (2)

Leftz
Level 4
Level 4

Hi 

This post is following the below link. The question is after changing TLS version, the security vulnerability report is same as before, meaning the change did not remediate the issue. Even if the http and https were disabled, the issue is still existing. The report message is posted as below. Anyone has some suggestions? Thank you very much. 

 

https://community.cisco.com/t5/network-access-control/disabling-tls-v1-1-at-sw/td-p/4774454

----------------------------------------------------------------

172.16.10.10                                     IP            Ubuntu/Linux    host scanned, found vuln              38794    Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)          Active   Vuln       3                443         tcp                          over ssl 44770.46245       44920.88127       29                                           Deprecating TLS 1.0 and TLS 1.1                          0              2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)          2.2 (E:U/RL:U/RC:C)        Asset Group: Network Devices - US Network Devices - Austin, Collateral Damage Potential:  None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement:               3.4          3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)               3.4 (E:U/RL:U/RC:C)        "Disable the use of TLSv1.1 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -tls1_1

 

If the test is successful, then the target support TLSv1.1"                TLSv1.1 is supported#    no                                           General remote services                               25           338         5

 

 

3 Accepted Solutions

Accepted Solutions

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

 

View solution in original post

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

View solution in original post

@Leftz if disabled, I'd say the device will not be exploitable

View solution in original post

7 Replies 7

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

 

Leftz
Level 4
Level 4

@Rob Ingram Thank you very much for your reply.

command "openssl s_client -connect 192.168.10.2:443 -tls1_2" can not be run at router or switch. we are going to add Linux to run it.  Is there a similar cisco command to run for this purpose? 

I can only run the below two commands at this moment. 

ESW#show run | in tls
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2

ESW#sh run | in http
no ip http server
ip http authentication local
no ip http secure-server
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2
destination transport-method http

 

 

 

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

Leftz
Level 4
Level 4

Run command show ip socket on this sw. but looks like it cannot show something useful. because I cannot find some difference between before and after closing 80 or 443 by command no ip http server or no ip http secure-server

 

ESW#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 172.16.10.10 2228 0 0 211 0
17 10.1.9.43 55775 172.16.10.10 161 0 0 2001001 0
17 --listen-- 172.16.10.10 162 0 0 2001011 0
17 --listen-- 172.16.10.10 52585 0 0 2001011 0
17(v6) --listen-- --any-- 161 0 0 2020001 0
17(v6) --listen-- --any-- 162 0 0 2020011 0
17(v6) --listen-- --any-- 52448 0 0 2020001 0

Leftz
Level 4
Level 4

@Rob Ingram you are right. One question: the vulnerability issue in this case is due to TLS lower version 1.0 and 1.1. If the lower version of TLS is still enabled, but http and https are disabled, does this vulnerability issue still exist theoretically ? 

@Leftz if disabled, I'd say the device will not be exploitable

Leftz
Level 4
Level 4

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Review Cisco Networking products for a $25 gift card