cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
953
Views
10
Helpful
2
Replies
ydang
Cisco Employee

secure-ciphers for CONFD 7.5.2 support( DHE/EDCHE/TLS1.2/TLS1.3)

Hello Team,

 

Currently one of our project is using CONFD 7.5.2 as our server to receive pnp communication with IOS XE devices.

 

And I'm in the middle of testing the direct https from the device to confd server. (which will require me to configure the correct ciphers on both IOS-XE devices as well as confd server(confd.conf))

 

I'm using a self signed certificate generated by openssl 1.1.1. And during my testing I found out compare to Confd7.3 to Confd7.5.2, Confd7.5.2 has removed the support for ciphers on protocol tlsv1.1 and tlsv1.2 and only support tlsv 1.3 which for me didn't left me much options but to use the ciphers start with "ecdhe-" or "dhe-"(from device perspective)

 

And here is my 2 questions:

1. Does anyone know how to configure correctly in confd.conf file in order for me to use ciphers like "ecdhe-" or "dhe-"?

2. Why would Confd 7.5.2 remove the support cipher for protocol tlsv1.2? (I mean I understand tlsv1.1 should be get rid of but why tlsv1.2) what would happen to those devices which does not support protocol tlsv1.3, which means confd 7.5.2 CAN NOT communicate with those devices at all if using https.

 

Below is my testing screenshot. 

 

Screen Shot 2021-07-07 at 10.07.45 PM.png

Any help is appreciated.

 

Regards,

James 

1 ACCEPTED SOLUTION

Accepted Solutions
jlawitzk
Cisco Employee

This forum is for NSO and ConfD questions are out-of-scope here.

 

For ConfD questions, please, use one of these three channels:

  1. File a support ticket in the RT system for Tail-f/Cisco Support. if you don't know what the RT system is, your project should have designated people who have access to the system.
  2. Post a question on the public ConfD User Community Forum at https://discuss.tail-f.com.
  3. Since you are with Cisco, you can also ask questions in the ConfD Internal Developer Portal in Employee Communities. I'm not posting the URL for the internal site since this is a public forum.  Go to Employee Communities and search for "ConfD Internal Developer Portal".

 

View solution in original post

2 REPLIES 2
jlawitzk
Cisco Employee

This forum is for NSO and ConfD questions are out-of-scope here.

 

For ConfD questions, please, use one of these three channels:

  1. File a support ticket in the RT system for Tail-f/Cisco Support. if you don't know what the RT system is, your project should have designated people who have access to the system.
  2. Post a question on the public ConfD User Community Forum at https://discuss.tail-f.com.
  3. Since you are with Cisco, you can also ask questions in the ConfD Internal Developer Portal in Employee Communities. I'm not posting the URL for the internal site since this is a public forum.  Go to Employee Communities and search for "ConfD Internal Developer Portal".

 

View solution in original post

Thank you. I will posted on CONFD internal developer portal.

 

Regards,

James