I'm looking at hardening the https server for a number of Cisco devices including IOS-XE for Cat9k switches and WLC.
Looking at the devices I can see that the following Cipher Suites can be supported but I'm not sure what the current recommendations are. Are there any from the list that are recommended and ones that should be avoided?
3des-ede-cbc-sha Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
dhe-aes-cbc-sha2 Encryption type tls_dhe_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
dhe-aes-gcm-sha2 Encryption type tls_dhe_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite
ecdhe-ecdsa-aes-gcm-sha2 Encryption type tls_ecdhe_ecdsa_aes_gcm_sha2 (TLS1.2 & above) SuiteB ciphersuite
ecdhe-rsa-3des-ede-cbc-sha Encryption type tls_ecdhe_rsa_3des_ede_cbc_sha ciphersuite
ecdhe-rsa-aes-128-cbc-sha Encryption type tls_ecdhe_rsa_with_aes_128_cbc_sha ciphersuite
ecdhe-rsa-aes-cbc-sha2 Encryption type tls_ecdhe_rsa_aes_cbc_sha2(TLS1.2 & above) ciphersuite
ecdhe-rsa-aes-gcm-sha2 Encryption type tls_ecdhe_rsa_aes_gcm_sha2(TLS1.2 & above) ciphersuite
rsa-aes-cbc-sha2 Encryption type tls_rsa_with_aes_cbc_sha2(TLS1.2 & above) ciphersuite
rsa-aes-gcm-sha2 Encryption type tls_rsa_with_aes_gcm_sha2(TLS1.2 & above) ciphersuite
This doc explains and shows the acceptable cipher suites to give you some idea. Use tls 1.2, highest sha and aes where supported.
Thanks for the response. From what I can see the following ciphers are for tls v1.2 and above and meet Cisco's recommendation of using AES GSM as the the encryption algorithms. Does this look right to you?
Which ciphers you disable depends on more than just which are the most secure. Often there are larger issues at play such as client compatibility. You need to analyze your environment for such issues. Sometimes in our zeal to make the devices as secure as possible we can inadvertently deny service to legitimate infrastructure users or services thus making the "cure" worse than the "disease".
First ask yourself what are you using the https server for. If it's not in use then simply disable it. If it is in use, what are the clients - e.g. a few other infrastructure devices and applications or a larger end user base? In either case, consider carefully and test compatibility before committing to supporting only the strongest ciphers.
If all your analysis checks out then narrow things down to the strongest mutually compatible ciphersuite - e.g., the Suite B one.