06-15-2021 04:09 AM - edited 06-15-2021 04:29 AM
Hello everybody!
We have C9200 version 16.12.4 on the network, and we cannot disable sha1 based key exchange algorithms there. And a new C9200 version 17.3.3 and there we can configure ecdh-sha2-nistp256, ecdh-sha2-nistp384 and ecdh-sha2-nistp521.
The question is, if I update C9200 from version 16.12.4 to version 17.3.3, will it be possible to disable sha1 based key exchange algorithms and enable more stable algorithms?
And how can I find out from which version of the switch sha2 will be supported?
Thanks!
06-15-2021 05:21 AM
no longer mentions sha1 , presuming it is no longer present in contrast too :
- Have a look at the fist document further , to find out , for instance how to change order of the preferred ciphers.
M.
06-15-2021 06:57 AM
Thanks, but I wanted to know exactly about the key exchange (KEX) algorithms. More details:
17.3.3 version:
Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- 1 32 C9200-24T 17.03.03 CAT9K_LITE_IOSXE INSTALL * 2 32 C9200-24T 17.03.03 CAT9K_LITE_IOSXE INSTALL Switch 01 --------- Switch uptime : 6 weeks, 6 days, 18 hours, 23 minutes Base Ethernet MAC Address : Motherboard Assembly Number : Motherboard Serial Number : Model Revision Number : C1 Motherboard Revision Number : B0 Model Number : C9200-24T System Serial Number : Last reload reason : Power Failure or Unknown CLEI Code Number : Configuration register is 0x102 AHBKZSHYSWT01-02(config)#ip ssh ser al kex ? diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm ecdh-sha2-nistp256 ECDH_SHA2_P256 ecdh key exchange algorithm ecdh-sha2-nistp384 ECDH_SHA2_P384 ecdh key exchange algorithm ecdh-sha2-nistp521 ECDH_SHA2_P521 ecdh key exchange algorithm
16.12.4 version:
Switch Ports Model SW Version SW Image Mode ------ ----- ----- ---------- ---------- ---- 1 52 C9200L-48T-4G 16.12.4 CAT9K_LITE_IOSXE INSTALL * 2 52 C9200L-48T-4G 16.12.4 CAT9K_LITE_IOSXE INSTALL Switch 01 --------- Switch uptime : 12 weeks, 4 days, 21 hours, 46 minutes Base Ethernet MAC Address : Motherboard Assembly Number : Motherboard Serial Number : Model Revision Number : G0 Motherboard Revision Number : A0 Model Number : C9200L-48T-4G System Serial Number : Last reload reason : Image Install Configuration register is 0x102 AHB-KAZ-DMZ(config)#ip ssh ser alg kex ? diffie-hellman-group-exchange-sha1 DH_GRPX_SHA1 diffie-hellman key exchange algorithm diffie-hellman-group14-sha1 DH_GRP14_SHA1 diffie-hellman key exchange algorithm
.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide