cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1069
Views
0
Helpful
3
Replies

Weak SSL/TLS Key Exchange in cisco switch

zshowip
Enthusiast
Enthusiast

Hi We have switch WS-C3850. IOS is a little bit old. Currently we do not plan to upgrade. and we got message about security vulnerability. Please see below. Anyone can share some experience what action can resolve the issue? Thank you

Weak SSL/TLS Key Exchange
Cisco Router/Switch Default Password Vulnerability

 

1 Accepted Solution

Accepted Solutions

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@zshowip do you even use https to manage the switch, if not disable it - "no ip http secure-server"

You can secure the HTTPS ciphersuites using "ip http secure-ciphersuite" command. Example "ip http secure-ciphersuite dhe-aes-256-cbc-sha dhe-aes-128-cbc-sha" or specify a strong ciphersuite that is supported by your old image. Use "ip http secure-ciphersuite ?" to find out what is supported.

View solution in original post

3 Replies 3

Rob Ingram
VIP Expert VIP Expert
VIP Expert

@zshowip do you even use https to manage the switch, if not disable it - "no ip http secure-server"

You can secure the HTTPS ciphersuites using "ip http secure-ciphersuite" command. Example "ip http secure-ciphersuite dhe-aes-256-cbc-sha dhe-aes-128-cbc-sha" or specify a strong ciphersuite that is supported by your old image. Use "ip http secure-ciphersuite ?" to find out what is supported.

MHM Cisco World
Advisor
Advisor

friend this is SW not Web Server, so you need only the Admin PC to access to SSL HTTP in SW,
if you can not Upgrade the SW at less Downgrade the Admin PC or use weak other cipher SSL ver.

zshowip
Enthusiast
Enthusiast

Thank you!

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: