Buy or Renew
Buy or Renew
NOTICE: You can now engage in the community. Learn about the great new Cisco Umbrella content.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2367
Views
3
Helpful
13
Replies

TLS Confusion

Go to solution
jayu
Level 1
Level 1

‎07-07-2023 11:06 AM

We have three series of Cisco Catalyst switches (2960, 1000 and 9300).  The 2960 and 1000 units don't appear to support TLS 1.3 (very annoying).  On a recent scan, our 2960 and 1000 series switches show failing grades on the TLS 1.2 ciphers.  However, comparing those same 1.2 ciphers to another object that passed with flying colors, it appears the same ciphers are available as the ones listed as Failing on the switches.  

Example:
One device has this cipher available:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [ecdh_x25519] - A

Yet the 2960 and 1000 units have this available:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [secp256r1] - F

The only difference is that bit inside the brackets.  Are these switches just too old to get proper cipher suits or am I missing something?  Attempting to plug holes found by pen testers isn't going to get very far if I can't go any higher than the switches as we have to match at least one across the board, correct?  

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
jayu
Level 1
Level 1

‎07-20-2023 08:47 AM

Update: Found what I was looking for:
https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html

gives all the commands I was after, especially important are the ones that will tell you what the switch supports as well as the commands to remove insecure ciphers and completely ban TLS 1.0 and 1.1

View solution in original post

13 Replies 13

Go to solution
MHM Cisco World
VIP
VIP

‎07-07-2023 11:29 AM - edited ‎07-07-2023 11:49 AM

can I see SSL config ?

0 Helpful

Go to solution
jayu
Level 1
Level 1
In response to MHM Cisco World

‎07-07-2023 11:38 AM


Fri Jul 07 2023 13:37:26 GMT-0500 (Central Daylight Time)
===================================================================================
#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1853278720
Modulus Size : 1024 bits
ssh-rsa: redacted

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP

‎07-07-2023 12:32 PM

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [ecdh_x25519] - A

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [secp256r1] - F

first the key exchange is same 
the Auth is RSA 
the Cipher use is same 
except the KEY EXCHANGE algorithm is different.
so ecdh_x25519 and secp256r1 
that make issue I think 
so I need to see config especially the key exchange 

 

Go to solution
jayu
Level 1
Level 1
In response to MHM Cisco World

‎07-07-2023 12:35 PM

The first listed item is from a totally different device.  The list of seemingly available SSL/TLS cipher suites for the switch is missing anything higher than the second item.  I need to know how to add the first into the switch (if possible) or otherwise update/upgrade the available cipher suites.  

0 Helpful

Go to solution
jayu
Level 1
Level 1
In response to MHM Cisco World

‎07-19-2023 12:01 PM

So, what commands would I need to issue here to change/update the Key Exchange algorithm?  That's the part I'm needing most.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jayu

‎07-19-2023 12:07 PM - edited ‎07-19-2023 12:13 PM

I ALWAYS forget you are talking about ssl not ssh.

I will share command.

Thanks 

MHM

Go to solution
jayu
Level 1
Level 1
In response to MHM Cisco World

‎07-20-2023 06:11 AM

I hate to pester but...any luck with the command(s)?

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to jayu

‎07-20-2023 06:51 AM

you use SSL for HTTP GUI access ?

0 Helpful

Go to solution
jayu
Level 1
Level 1
In response to MHM Cisco World

‎07-20-2023 07:07 AM

HTTP/S GUI access among other things...SSH being another.  Before we restrict the servers and end user machines via gpo to only use TLS 1.2 (since 1.3 isn't widely supported yet) we need to make sure the switches are capable of handling the same ciphers.  And remove the obsolete cipher suites while we're at it.  Anything we can do to increase security.

0 Helpful

Go to solution
jayu
Level 1
Level 1

‎07-20-2023 08:47 AM

Update: Found what I was looking for:
https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html

gives all the commands I was after, especially important are the ones that will tell you what the switch supports as well as the commands to remove insecure ciphers and completely ban TLS 1.0 and 1.1

Go to solution
MHM Cisco World
VIP
VIP
In response to jayu

‎07-20-2023 09:03 AM

Glad you solve issue.

Sorry for late reply.

There are no command for ssl but there is command for http (ssl) and ssh' that why I ask do you use ssl for http.

Have a nice summer 

MHM

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame
In response to jayu

‎07-20-2023 09:19 AM

BTW, for the 2960 and 1100, are they also running the latest IOS and/or a crypto version (also excluding export crypto versions)?

0 Helpful

Go to solution
jayu
Level 1
Level 1
In response to Joseph W. Doherty

‎07-20-2023 09:55 AM

Both the 2960 and 1100 series are on the latest recommended release for their series.  

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card