11-25-2019 08:04 PM
Hi
I have switch 3850 and open SSH
My Audit scan ssh found Encryption Algorithms vulnerability
Can I disable Weak Encryption Algorithms 3des-cbc ,aes128-cbc ,aes192-cbc ,aes256-cbc and disable message authentication code MD5 and 96-bit MAC algorithms ?
if i closing this weak Encryption is there any effect to switch operation
Solved! Go to Solution.
11-25-2019 09:31 PM
11-25-2019 09:31 PM
11-26-2019 02:12 AM
Hi!
to my knowledge, the only way to prevent the Switch from offering weak algorithms is the following:
(example) conf#ip ssh server algorithm encryption aes256-ctr aes192-ctr aes128-ctr
You can add all the algorithms you want to use in the command, just chain them after another.
This way you tell the Switch to only use those anymore.
Does this answer the question?
Let me know.
Best regards!
01-26-2022 05:59 AM
Hello Julian,
How about Cisco MDS series command ?
11-26-2019 04:19 AM
Hello,
on a side note, you could create a menu that would allow users to only configure the encryption algorithms that you want to allow. So, effectively, a 'weak' algorithm could never be configured. Not sure in how far that would comply with the audit...
03-04-2022 01:49 PM - edited 03-04-2022 01:58 PM
Hi Very interesting question. I would like to know which cipher is weak? I received message which says its cipher is weak in the switch. Its configuration shows nothing over there by command "show run | i ssh server". That means at least one of cipher is weak, But the question is we do not know which one is weak among these cipher so that we cannot just indicate strong one instead of weak. Please see the below. If all of them are strong one, why it says weak? Thank you
IDF1-Switch#ip ssh server algorithm encryption ?
3des-cbc Three-key 3DES in CBC mode
aes128-cbc AES with 128-bit key in CBC mode
aes128-ctr AES with 128-bit key in CTR mode
aes192-cbc AES with 192-bit key in CBC mode
aes192-ctr AES with 192-bit key in CTR mode
aes256-cbc AES with 256-bit key in CBC mode
aes256-ctr AES with 256-bit key in CTR mode
07-20-2023 01:06 PM
Anything with 3DES or CBC are considered obsolete.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide