Solved: Is there a way to check the TLS version on a Cisco L3 switch ?

DhaneshRaj2706 · ‎06-11-2019

Hello All,

We are undergoing a security audit at the moment and the audit is requiring proofs that the network devices are running the latest TLS 1.2 version if applicable.

Is there a way to check the TLS version on Cisco switches ?

Any help would be greatly appreciated.

Seb Rupik · ‎06-11-2019

Hi there,

Use nmap (or zenmap if using windows) and run the ssl enumeration script:

nmap --script ssl-enum-ciphers <l3_switch_ip_address>

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

...this will produce an output listing the ciphers available on the switch ordered by TLS version.

cheers,

Seb.

View solution in original post

Seb Rupik · ‎06-11-2019

Hi there,

Use nmap (or zenmap if using windows) and run the ssl enumeration script:

nmap --script ssl-enum-ciphers <l3_switch_ip_address>

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

...this will produce an output listing the ciphers available on the switch ordered by TLS version.

cheers,

Seb.

DhaneshRaj2706 · ‎06-11-2019

Thank you so much, this is all we wanted . :)

sarath92 · ‎05-24-2021

Hi Dhanesh,

A simple command: "sh ip http server all" will show you the TLS version. I don't know why Seb asked you to run that zenmap script. Am I missing something Seb?

Seb Rupik · ‎05-26-2021

Hi there,

@sarath92

The OP mentioned they were conducting an audit which typically involves more than one host. Although your command would also show the cipher suite, it would need to be executed on a per-device basis which is not very scalable. Yes, you could use something like ansible or netmiko to execute the script, but both involve additional moving parts.

Using nmap and passing it an IP range as an argument or text file of IP addresses will produce the required information in a single block of output.

cheers,

Seb.