Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5806
Views
5
Helpful
4
Replies

Recommend Cipher Suites

dm2020
Level 1
Level 1

‎04-06-2020 03:20 AM

Hi All,

 

I'm looking at hardening the https server for a number of Cisco devices including IOS-XE for Cat9k switches and WLC.

 

Looking at the devices I can see that the following Cipher Suites can be supported but I'm not sure what the current recommendations are. Are there any from the list that are recommended and ones that should be avoided?

 

3des-ede-cbc-sha Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
dhe-aes-cbc-sha2 Encryption type tls_dhe_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
dhe-aes-gcm-sha2 Encryption type tls_dhe_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite
ecdhe-ecdsa-aes-gcm-sha2 Encryption type tls_ecdhe_ecdsa_aes_gcm_sha2 (TLS1.2 & above) SuiteB ciphersuite
ecdhe-rsa-3des-ede-cbc-sha Encryption type tls_ecdhe_rsa_3des_ede_cbc_sha ciphersuite
ecdhe-rsa-aes-128-cbc-sha Encryption type tls_ecdhe_rsa_with_aes_128_cbc_sha ciphersuite
ecdhe-rsa-aes-cbc-sha2 Encryption type tls_ecdhe_rsa_aes_cbc_sha2(TLS1.2 & above) ciphersuite
ecdhe-rsa-aes-gcm-sha2 Encryption type tls_ecdhe_rsa_aes_gcm_sha2(TLS1.2 & above) ciphersuite
rsa-aes-cbc-sha2 Encryption type tls_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
rsa-aes-gcm-sha2 Encryption type tls_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite

 

Thank you

0 Helpful
4 Replies 4

omz
VIP Alumni
VIP Alumni

‎04-06-2020 03:58 AM - edited ‎04-06-2020 04:02 AM

Hi 

This doc explains and shows the acceptable cipher suites to give you some idea. Use tls 1.2, highest sha and aes where supported.

https://tools.cisco.com/security/center/resources/next_generation_cryptography

 

Screenshot 2020-04-06 at 12.01.40.png

0 Helpful

dm2020
Level 1
Level 1
In response to omz

‎04-06-2020 08:14 AM

Hi,


Thanks for the response. From what I can see the following ciphers are for tls v1.2 and above and meet Cisco's recommendation of using AES GSM as the the encryption algorithms. Does this look right to you?

 

rsa-aes-gcm-sha2

dhe-aes-gcm-sha2

ecdhe-rsa-aes-gcm-sha2

ecdhe-ecdsa-aes-gcm-sha2

0 Helpful

omz
VIP Alumni
VIP Alumni
In response to dm2020

‎04-06-2020 12:16 PM

Hi 

let's ask an expert - @Marvin Rhoads 

hope Marvin can comment

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to omz

‎04-07-2020 03:07 AM - edited ‎04-07-2020 03:08 AM

Which ciphers you disable depends on more than just which are the most secure. Often there are larger issues at play such as client compatibility. You need to analyze your environment for such issues. Sometimes in our zeal to make the devices as secure as possible we can inadvertently deny service to legitimate infrastructure users or services thus making the "cure" worse than the "disease".

First ask yourself what are you using the https server for. If it's not in use then simply disable it. If it is in use, what are the clients - e.g. a few other infrastructure devices and applications or a larger end user base? In either case, consider carefully and test compatibility before committing to supporting only the strongest ciphers.

If all your analysis checks out then narrow things down to the strongest mutually compatible ciphersuite - e.g., the Suite B one.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card