10-28-2010 06:31 AM - edited 03-09-2019 11:14 PM
How do I disable weak ciphers on an ASA 5520 and a 2800 series router?
I am being told I only need to force the use of SSL2 and weak ciphers will be disabled.
Is this correct and where can I get information to confirm it?
10-29-2010 08:28 AM
you can restrict ASA and IOS SSL ciphersuites using these commands:
on ios: ip http secure-ciphersuite
on asa: ssl encryption
for more info:
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511225
Hope this helps.
Regards,
Fadi.
10-29-2010 10:07 AM
On the ASA you also have a FIPS compliance command "§fips enable" that will enforce FIPS compliance.
For the router not the "auto-secure" feature that locks the router down.
I hope it helps.
PK
12-18-2016 09:24 PM
hi,
I have cisco asa 5525x I need help to resolve below case for hardening
1. SSH Weak Cipher Used- How I cand use here 3des or AES
2. ssh Weak Cipher Used- How Remove RC4-SHA1 in ssl Setting
sudhir.
01-13-2017 03:23 AM
For ssh, use the "ssh cipher encryption" command in config mode.
Note that your ssh client software (and any management programs that use ssh to log inot the ASA) need to support stroing ciphers.
For ssl, use the "ssl cipher encryption" command.
Note that setting strong ciphers for SSL will require you to download the Java Cryptographic Extensions (JCE) and keep them in your Java security folder across Java upgrades to be able to use ASDM to manage ASAs thus secured.
Example for ssh:
asa# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
Integrity Algorithms:
all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
medium: hmac-sha1 hmac-sha1-96
fips: hmac-sha1
high: hmac-sha1
asa#
asa(config)# ssh cipher encryption ?
configure mode commands/options:
all Specify all ciphers
custom Choose a custom cipher encryption configuration string.
fips Specify only FIPS-compliant ciphers
high Specify only high-strength ciphers
low Specify low, medium, and high strength ciphers
medium Specify medium and high strength ciphers (default)
asa(config)#
05-25-2017 07:51 PM
I have C2960 switch
IOS - c2960s-universalk9-mz.122-55.SE10
1.HTTP Basic Authentication Enabled (http-basic-auth-clear text)
2.TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)
3.Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)
How can i fix it please advice
Thanks
05-25-2017 09:57 PM
If you are not using the http server then just disable it:
no ip http server
no ip http secure-server
If you must use it (such as is required in order to use Cisco Network Assistant) and want to eliinate those audit flags then you have to address the issues one by one:
1. Don't use the ip http server since it can only use unsecured (clear text) authentication.
2. Create a new strong private key for your server to use in an SSL certificate. I wrote a post about 4 years ago that outlines how to do this:
https://supportforums.cisco.com/discussion/11959386/change-certificate-used-cisco-3850
Then restrict your http secure-server to more secure cipher suite as shown here:
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book/nm-https-cr-cl-sh.html#wp5030573150
If you need to go with a suite stronger than 3DES (like AES) then you would have to upgrade to a newer IOS in the 15.1(2) or later range.
http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html#anc5
3. Get a certificate for the switch by creating a Certificate Signing Request and submitting it to a trusted public CA. (I have never seen anybody do this for a switch in my many years of securing networks.)
Or instead of all of the above you could simply undertake to implement a compensating control like an access-list to restrict http/https access to a small set of trusted computers like a management subnet.
05-26-2017 10:09 PM
I did all of that ,but i cannot login to the switch via https
https://supportforums.cisco.com/discussion/11959386/change-certificate-u...
ip https secure server enabled
From IE 11
This page can’t be displayed
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://192.168.0.19 ; again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
Change settings
Thanks
05-27-2017 03:13 AM
Can you share the running configuration?
05-27-2017 07:18 AM
05-27-2017 09:35 PM
You have the command:
ip http secure-client-auth
That requires a client-side certificate to securely authenticate to the server (i.e., your switch). Please remove that command and try again.
05-27-2017 11:37 PM
05-27-2017 11:50 PM
Since the certificate is self-signed by the switch, you need to have it in your trusted certificate store for IE to navigate to it.
Easiest is to just use Firefox and tell it to add an exception for the site.
While in Firefox you can also download the certificate. Then add it to your trusted root CA store in Windows. After you have done that you can re-launch IE and it should open fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide