SSL/TLS: Certificate Signed Using A Weak Signature Algorithm
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 08:27 AM
Hello our switch Cisco WS-C2960L-SM-24PS has this vulnerability and the recommended solution to this is to obtain new SHA-2 signed SSL/TLS certificates to avoid web browser SSL/TLS certificate warnings. Can you please guide me on how to do this or suggest some commands that I can do on the device. thanks in advance
- Labels:
-
Other Network Security Topics
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:03 AM
check self signed certificate (and clients also required to trust that certificate) - do you have PKI infra structore inside ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:08 AM
@PaoloArnedo are you actually using the HTTP or HTTPS server on the switch to manage the device? If not, disable them and then the switch won't be listening on tcp/443.
If you are, create a new trustpoint and authenticate/enroll the certificate to generate a CSR, sign the certificate from your internal CA.
Example trustpoint:
crypto pki trustpoint LAB_PKI enrollment terminal revocation-check none
once the signed certificate has been imported, assign to the trustpoint
ip http secure-trustpoint LAB_PKI
Delete the old trustpoint.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:12 AM
Thank you for the insight, to answer your question yes I am using HTTP as a server. does the process needs a reboot on the device and can it affect the hosts communicating to the switch?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:14 AM
@PaoloArnedo the web interface (http or https) is for management purposes only, so it will not affect the connected hosts. No it does not require a reboot.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:48 AM
thank you! also may I ask, how do I deploy (Ephemeral) Elliptic-Curve Diffie-Hellman (ECDHE) or use a 2048-bit or stronger Diffie-Hellman group on the device?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-14-2022 09:15 AM - edited 03-14-2022 09:57 AM
....
