cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Who Me Too'd this topic

Disable TLS 1.1 on TCP port 9005 from DNA Center (maglev-web-install)

Hi All,

I have a scan of vulnerabilities (Qualys) on my network that detected TLS version 1.1 running on DNA Center on ports TCP 443 and 9005.

My DNA Center is a 3 node cluster running version 2.3.3.7-72328-HF5

I've disabled following this instruction: Cisco Catalyst Center Security Best Practices Guide - Cisco

Results below:

$ magctl service tls_version --tls-min-version show
TLS minimum version is 1.2

It's working for TCP port 443 as below:

M:\>curl -k -v -s https://10.156.34.145 --tlsv1.1 --tls-max 1.1
* Trying 10.156.34.145:443...
* Connected to 10.156.34.145 (10.156.34.145) port 443
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* schannel: next InitializeSecurityContext failed: SEC_E_UNSUPPORTED_FUNCTION (0x80090302) - The function requested is not supported
* Closing connection
* schannel: shutting down SSL/TLS connection with 10.156.34.145 port 443

But on TCP port 9005 still responding on TLS version 1.1

M:\>curl -k -v -s https://10.156.34.145:9005 --tlsv1.1 --tls-max 1.1
* Trying 10.156.34.145:9005...
* Connected to 10.156.34.145 (10.156.34.145) port 9005
* schannel: disabled automatic use of client certificate
* schannel: using IP address, SNI is not supported by OS.
* ALPN: curl offers http/1.1
* ALPN: server did not agree on a protocol. Uses default.
* using HTTP/1.x
> GET / HTTP/1.1
> Host: 10.156.34.145:9005
> User-Agent: curl/8.4.0
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< CONTENT-TYPE: application/json; charset=utf-8
< CONTENT-LENGTH: 61
< DATE: Tue, 09 Jan 2024 16:22:52 GMT
< SERVER: Python/3.5 aiohttp/2.2.5
<
{"response": {"errorCode": "ERROR", "error": "Unauthorized"}}* Connection #0 to host 10.156.34.145 left intact

On the same instruction link above, explain that TCP port 9005 is from maglev-web-install that is a service responsible for cluster formation and I've opened a TAC case to check other ways to disable TLS 1.1 on this service but engineer told me that is not possible to disable TLS 1.1 version and to disable this service as workaround (maglev-config webinstall disable).

My concern was regarding cluster formation with this service disabled and I did a test disabling service and breaking the cluster and really cluster not establish, just establish when I enable service again.

I've asked TAC engineer if is there on Cisco roadmap something to solve this vulnerability within future DNA Center versions instead of use workaround that affect cluster formation but he didn't know to answer me.

Anybody else facing this same issue?

Tks.

Who Me Too'd this topic