cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
29286
Views
0
Helpful
4
Replies

How do I Disable CBC mode ciphers

_Ratha_
Level 1
Level 1

Dear all,

I have found on my cisco 2960 with SSL Server Supports Weak Encryption for SSLv3 vulnerabilities.

How do I Disable CBC mode ciphers in order to leave only RC4 ciphers enabled?

I also try the following solution:

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118518-technote-esa-00.html

but cisco switch 2960 do not support the command sslconfig

 

Thank for your support

2 Accepted Solutions

Accepted Solutions

Steve Fuller
Level 9
Level 9

Hi,

You can specify which ciphers to use with the ip http secure-ciphersuite command. The context sensitive help i.e., the ?, will tell you which ciphers are supported on the IOS version you have.

Simply include only those ciphers you want to run as options to the command, for example ip http secure-ciphersuite rc4-128-md5 rc4-128-sha.

Regards

View solution in original post

Hi,

The switch will run any of the ciphers supported by the IOS version unless you specify which you want to run. You should be able to see which ciphers are supported with the show ip http server secure status command.

c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

 

The list cipher suites shown will change when you specify which of those available you would want to use.

c1kv-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c1kv-1(config)#ip http secure-ciphersuite ?
  3des-ede-cbc-sha  Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
  des-cbc-sha       Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
  rc4-128-md5       Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha       Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

 

In terms of which to use, take a look at the Recommendations for Cryptographic Algorithms on the Next Generation Encryption page. Cisco show both DES and RC4 as algorithms to avoid. A later IOS version is likely to support additional protocols if those currently supported by your switch are not acceptable to you.

Regards

View solution in original post

4 Replies 4

Steve Fuller
Level 9
Level 9

Hi,

You can specify which ciphers to use with the ip http secure-ciphersuite command. The context sensitive help i.e., the ?, will tell you which ciphers are supported on the IOS version you have.

Simply include only those ciphers you want to run as options to the command, for example ip http secure-ciphersuite rc4-128-md5 rc4-128-sha.

Regards

Hi Steve Fuller,

 

How can I show which ciphers that I am running? and which option is the best one?

Switch(config)#ip http secure-ciphersuite ?

  3des-ede-cbc-sha  Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite

  des-cbc-sha       Encryption type ssl_rsa_with_des_cbc_sha ciphersuite

  rc4-128-md5       Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite

  rc4-128-sha       Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

 

Thank for your suppot

 

Hi,

The switch will run any of the ciphers supported by the IOS version unless you specify which you want to run. You should be able to see which ciphers are supported with the show ip http server secure status command.

c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-128-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

 

The list cipher suites shown will change when you specify which of those available you would want to use.

c1kv-1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
c1kv-1(config)#ip http secure-ciphersuite ?
  3des-ede-cbc-sha  Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
  des-cbc-sha       Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
  rc4-128-md5       Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha       Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL

 

In terms of which to use, take a look at the Recommendations for Cryptographic Algorithms on the Next Generation Encryption page. Cisco show both DES and RC4 as algorithms to avoid. A later IOS version is likely to support additional protocols if those currently supported by your switch are not acceptable to you.

Regards

Hello Steve,

Understood that by selecting one cipher mode I can eliminate the other cipher mode I do not want. But my question goes further based on the Next Generation. Is Cisco including the new AES-GCM Algorithm on their new IOS/IOS-XE release...? So by upgrading we do include that new option. 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Innovations in Cisco Full Stack Observability - A new webinar from Cisco