Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3466
Views
10
Helpful
3
Replies

Diffie-Hellman Key Exchange /Report Weak Cipher Suites

Go to solution
PaoloArnedo
Level 1
Level 1

‎12-23-2019 11:46 AM - edited ‎12-23-2019 11:53 AM

Hi Guys, hope someone can help me on this.

I have a Cisco Switch 2960x 48 ports, out internal monitoring says that I should enable Diffie-Hellman Key Exchange and disable weak cipher suites, but when I was to enable Diffie-Hellman Key Exchange the comman says "incomplete command" also the switch has Version 15.2(4r)E3. Can someone help me how to get this done. Thanks in advance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-23-2019 08:57 PM

Hi

Can you share commands you tried?

Have you tried the following:
- ip ssh serv alg kex --> then choose the one you want
- ip ssh dh min 2048|4096 (--> choose the one you want)
...



Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

3 Replies 3

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni

‎12-23-2019 08:57 PM

Hi

Can you share commands you tried?

Have you tried the following:
- ip ssh serv alg kex --> then choose the one you want
- ip ssh dh min 2048|4096 (--> choose the one you want)
...



Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Go to solution
PaoloArnedo
Level 1
Level 1
In response to Francesco Molino

‎12-26-2019 08:30 AM

Hi Francesco,

Please see command:

#ip http secure-ciphersuite ?
aes-128-cbc-sha Encryption type tls_rsa_with_aes_cbc_128_sha
ciphersuite

aes-256-cbc-sha Encryption type tls_rsa_with_aes_cbc_256_sha
ciphersuite

dhe-aes-128-cbc-sha Encryption type tls_dhe_rsa_with_aes_128_cbc_sha
ciphersuite

dhe-aes-256-cbc-sha Encryption type tls_dhe_rsa_with_aes_256_cbc_sha
ciphersuite

edche-rsa-aes-256-cbc-sha Encryption type tls_ecdhe_rsa_aes_256_cbc_sha
ciphersuite

edche-rsa-rc4-128-sha Encryption type tls_ecdhe_rsa_rc4_128_sha
ciphersuite

null-sha Encryption type tls_rsa_with_null_sha ciphersuite

AMG-SW(config)#ip http secure-ciphersuite edche-rsa-aes-256-cbc-sha
% Incomplete command.

 

Also tried the command you gave me, still got some errors:

ip ssh dh min 2048|4096
                       ^
% Invalid input detected at '^' marker.

Thanks in advance!!

 

 

0 Helpful

Go to solution
Francesco Molino
VIP Alumni
VIP Alumni
In response to PaoloArnedo

‎12-26-2019 09:20 PM

I'm not sure. Did you for commands I gave you? Did it work?

The last command with 2048|4096 is either 2048 or 4096. You don't have to type the 2 numbers with the pipe sign.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents