11-24-2015 12:40 AM - edited 03-03-2019 08:03 AM
Hello,
i have a problem with CNA and all of my 2960X Switch with newer IOS Versions.
Version 15.0-2a.EX5 : HTTP and HTTPS works fine in CNA
after Update to
Version 15.2-2.E3 : only HTTP works, HTTPS doesn't work, i get an Device not reachable.
CLI get the following message
Nov 24 09:24:23: %HTTPS: SSL handshake fail (-6992)
Nov 24 09:24:23: HTTP: ssl handshake failed (-40404)
Nov 24 09:24:23: HTTP: sock rd ev socket error EPIPE (0x20)
Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15 ok
Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15 /exec/show/version/CR ok
Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:24: HTTP: Priv level granted 15
Nov 24 09:24:24: Tue, 24 Nov 2015 08:24:24 GMT 192.168.99.15 /exec/show/cluster/CR ok
Protocol = HTTP/1.1 Method = GET
Today i get the same behaviour with a 2960+ when updating to Version 15.0-2.SE8
Is there a bug in the newer IOS Versions ?
11-29-2015 02:38 PM
same issue in different browsers?
try
(config)#no crypto pki trustpoint TP-self-signed-xxxxxxxx
(config)#crypto key zeroize rsa
(config)#crypto key generate rsa
12-11-2015 07:37 AM
Hello,
no changes when deleting and generating keys, updatein to 15.0-2SE9 has the same effects
but now i have another debug message:
Cat3560X-48P-UG-1#deb ssl openssl errors
TLS errors debugging is on
Cat3560X-48P-UG-1#
*Jan 2 02:01:12: CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling TLSv1
*Jan 2 02:01:12: opssl_SetPKIInfo entry
*Jan 2 02:01:12: opssl_SetPKIInfo done.
*Jan 2 02:01:12: 0:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:315:
*Jan 2 02:01:12: %HTTPS: SSL handshake fail (-6992)
*Jan 2 02:01:12: HTTP: ssl handshake failed (-40404)
Cat3560X-48P-UG-1#
I'm nor really firm with HTTPS/SSL , could this be the error ?
if yes, how can i fix my problem ?
thanks
12-15-2015 12:01 PM
Server (e.g. switch) no longer support broken/insecure SSL3 but client seems use it (thus it is refused). Either upgrade client or downgrade server.
12-16-2015 02:04 AM
Hi,
it's a security bug or feature
Symptom: CNA works with SSL protocol, however because of POODLE vulnerability, Cisco has disabled SSL on the newer versions of IOS starting from 15.0(02)SE08 on 2960, 3750 switches.
Workaround: Enable HTTP and access the switch from CNA via HTTP, it works.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide