Solved: Weak SSL/TLS Key Exchange in cisco switch

Leftz · ‎08-03-2022

Hi We have switch WS-C3850. IOS is a little bit old. Currently we do not plan to upgrade. and we got message about security vulnerability. Please see below. Anyone can share some experience what action can resolve the issue? Thank you

Weak SSL/TLS Key Exchange
Cisco Router/Switch Default Password Vulnerability

Rob Ingram · ‎08-03-2022

@Leftz do you even use https to manage the switch, if not disable it - "no ip http secure-server"

You can secure the HTTPS ciphersuites using "ip http secure-ciphersuite" command. Example "ip http secure-ciphersuite dhe-aes-256-cbc-sha dhe-aes-128-cbc-sha" or specify a strong ciphersuite that is supported by your old image. Use "ip http secure-ciphersuite ?" to find out what is supported.

View solution in original post

Rob Ingram · ‎08-03-2022

@Leftz do you even use https to manage the switch, if not disable it - "no ip http secure-server"

You can secure the HTTPS ciphersuites using "ip http secure-ciphersuite" command. Example "ip http secure-ciphersuite dhe-aes-256-cbc-sha dhe-aes-128-cbc-sha" or specify a strong ciphersuite that is supported by your old image. Use "ip http secure-ciphersuite ?" to find out what is supported.

MHM Cisco World · ‎08-03-2022

friend this is SW not Web Server, so you need only the Admin PC to access to SSL HTTP in SW,
if you can not Upgrade the SW at less Downgrade the Admin PC or use weak other cipher SSL ver.

Leftz · ‎08-04-2022

Thank you!