Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1395
Views
10
Helpful
2
Replies

secure-ciphers for CONFD 7.5.2 support( DHE/EDCHE/TLS1.2/TLS1.3)

Go to solution
ydang
Cisco Employee
Cisco Employee

‎07-08-2021 10:59 AM - edited ‎07-08-2021 11:07 AM

Hello Team,

 

Currently one of our project is using CONFD 7.5.2 as our server to receive pnp communication with IOS XE devices.

 

And I'm in the middle of testing the direct https from the device to confd server. (which will require me to configure the correct ciphers on both IOS-XE devices as well as confd server(confd.conf))

 

I'm using a self signed certificate generated by openssl 1.1.1. And during my testing I found out compare to Confd7.3 to Confd7.5.2, Confd7.5.2 has removed the support for ciphers on protocol tlsv1.1 and tlsv1.2 and only support tlsv 1.3 which for me didn't left me much options but to use the ciphers start with "ecdhe-" or "dhe-"(from device perspective)

 

And here is my 2 questions:

1. Does anyone know how to configure correctly in confd.conf file in order for me to use ciphers like "ecdhe-" or "dhe-"?

2. Why would Confd 7.5.2 remove the support cipher for protocol tlsv1.2? (I mean I understand tlsv1.1 should be get rid of but why tlsv1.2) what would happen to those devices which does not support protocol tlsv1.3, which means confd 7.5.2 CAN NOT communicate with those devices at all if using https.

 

Below is my testing screenshot. 

 

Screen Shot 2021-07-07 at 10.07.45 PM.png

Any help is appreciated.

 

Regards,

James 

Preview file
1360 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jlawitzk
Cisco Employee
Cisco Employee

‎07-12-2021 08:34 AM

This forum is for NSO and ConfD questions are out-of-scope here.

 

For ConfD questions, please, use one of these three channels:

  1. File a support ticket in the RT system for Tail-f/Cisco Support. if you don't know what the RT system is, your project should have designated people who have access to the system.
  2. Post a question on the public ConfD User Community Forum at https://discuss.tail-f.com.
  3. Since you are with Cisco, you can also ask questions in the ConfD Internal Developer Portal in Employee Communities. I'm not posting the URL for the internal site since this is a public forum.  Go to Employee Communities and search for "ConfD Internal Developer Portal".

 

View solution in original post

2 Replies 2

Go to solution
jlawitzk
Cisco Employee
Cisco Employee

‎07-12-2021 08:34 AM

This forum is for NSO and ConfD questions are out-of-scope here.

 

For ConfD questions, please, use one of these three channels:

  1. File a support ticket in the RT system for Tail-f/Cisco Support. if you don't know what the RT system is, your project should have designated people who have access to the system.
  2. Post a question on the public ConfD User Community Forum at https://discuss.tail-f.com.
  3. Since you are with Cisco, you can also ask questions in the ConfD Internal Developer Portal in Employee Communities. I'm not posting the URL for the internal site since this is a public forum.  Go to Employee Communities and search for "ConfD Internal Developer Portal".

 

Go to solution
ydang
Cisco Employee
Cisco Employee
In response to jlawitzk

‎07-12-2021 09:24 AM

Thank you. I will posted on CONFD internal developer portal.

 

Regards,

James

Customers Also Viewed These Support Documents