09-29-2015 11:07 PM - edited 03-08-2019 02:00 AM
Dear all,
I have found on my cisco 2960 with SSL Server Supports Weak Encryption for SSLv3 vulnerabilities.
How do I Disable CBC mode ciphers in order to leave only RC4 ciphers enabled?
I also try the following solution:
but cisco switch 2960 do not support the command sslconfig
Thank for your support
Solved! Go to Solution.
09-30-2015 12:32 AM
Hi,
You can specify which ciphers to use with the ip http secure-ciphersuite command. The context sensitive help i.e., the ?, will tell you which ciphers are supported on the IOS version you have.
Simply include only those ciphers you want to run as options to the command, for example ip http secure-ciphersuite rc4-128-md5 rc4-128-sha.
Regards
10-05-2015 01:19 AM
Hi,
The switch will run any of the ciphers supported by the IOS version unless you specify which you want to run. You should be able to see which ciphers are supported with the show ip http server secure status command.
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
The list cipher suites shown will change when you specify which of those available you would want to use.
c1kv-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c1kv-1(config)#ip http secure-ciphersuite ?
3des-ede-cbc-sha Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
des-cbc-sha Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
rc4-128-md5 Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
rc4-128-sha Encryption type ssl_rsa_with_rc4_128_sha ciphersuite
c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
In terms of which to use, take a look at the Recommendations for Cryptographic Algorithms on the Next Generation Encryption page. Cisco show both DES and RC4 as algorithms to avoid. A later IOS version is likely to support additional protocols if those currently supported by your switch are not acceptable to you.
Regards
09-30-2015 12:32 AM
Hi,
You can specify which ciphers to use with the ip http secure-ciphersuite command. The context sensitive help i.e., the ?, will tell you which ciphers are supported on the IOS version you have.
Simply include only those ciphers you want to run as options to the command, for example ip http secure-ciphersuite rc4-128-md5 rc4-128-sha.
Regards
10-04-2015 06:47 PM
How can I show which ciphers that I am running? and which option is the best one?
Switch(config)#ip http secure-ciphersuite ?
3des-ede-cbc-sha Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
des-cbc-sha Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
rc4-128-md5 Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
rc4-128-sha Encryption type ssl_rsa_with_rc4_128_sha ciphersuite
Thank for your suppot
10-05-2015 01:19 AM
Hi,
The switch will run any of the ciphers supported by the IOS version unless you specify which you want to run. You should be able to see which ciphers are supported with the show ip http server secure status command.
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
The list cipher suites shown will change when you specify which of those available you would want to use.
c1kv-1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
c1kv-1(config)#ip http secure-ciphersuite ?
3des-ede-cbc-sha Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
des-cbc-sha Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
rc4-128-md5 Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
rc4-128-sha Encryption type ssl_rsa_with_rc4_128_sha ciphersuite
c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
In terms of which to use, take a look at the Recommendations for Cryptographic Algorithms on the Next Generation Encryption page. Cisco show both DES and RC4 as algorithms to avoid. A later IOS version is likely to support additional protocols if those currently supported by your switch are not acceptable to you.
Regards
12-19-2017 08:57 AM
Hello Steve,
Understood that by selecting one cipher mode I can eliminate the other cipher mode I do not want. But my question goes further based on the Next Generation. Is Cisco including the new AES-GCM Algorithm on their new IOS/IOS-XE release...? So by upgrading we do include that new option.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide