Solved: Strong key exchange for vulnerability

Leftz · ‎07-18-2022

Hi we got the below info from vulnerability security scan from cisco switch. I am not sure how to allow strong key exchange. Anyone can share some experience? Thank you

Change the SSL/TLS server configuration to only allow strong key exchanges. Key exchanges should provide at least 112 bits of security, which translates to a minimum key size of 2048 bits for Diffie Hellman and RSA key exchanges.

Weak SSL/TLS Key Exchange

Rob Ingram · ‎07-18-2022

@Leftz do you even use SSL/TLS on the switches? as most organisations I work with do not. I therefore just disable SSL/TLS, use the command "no ip http secure-server".

You can expictly configure the ciphersuite "ip http secure-ciphersuite <ciphersuite>"

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-3/configuration_guide/sec/b_173_sec_9200_cg/configuring_secure_socket_layer_http.html#con_1226558

You can also limit SSL/TLS connections using an ACL

View solution in original post

Rob Ingram · ‎07-18-2022

@Leftz do you even use SSL/TLS on the switches? as most organisations I work with do not. I therefore just disable SSL/TLS, use the command "no ip http secure-server".

You can expictly configure the ciphersuite "ip http secure-ciphersuite <ciphersuite>"

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9200/software/release/17-3/configuration_guide/sec/b_173_sec_9200_cg/configuring_secure_socket_layer_http.html#con_1226558

You can also limit SSL/TLS connections using an ACL

Leftz · ‎07-18-2022

Thank you Rob. I think you are correct.