07-07-2023 11:06 AM
We have three series of Cisco Catalyst switches (2960, 1000 and 9300). The 2960 and 1000 units don't appear to support TLS 1.3 (very annoying). On a recent scan, our 2960 and 1000 series switches show failing grades on the TLS 1.2 ciphers. However, comparing those same 1.2 ciphers to another object that passed with flying colors, it appears the same ciphers are available as the ones listed as Failing on the switches.
Example:
One device has this cipher available:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [ecdh_x25519] - A
Yet the 2960 and 1000 units have this available:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [secp256r1] - F
The only difference is that bit inside the brackets. Are these switches just too old to get proper cipher suits or am I missing something? Attempting to plug holes found by pen testers isn't going to get very far if I can't go any higher than the switches as we have to match at least one across the board, correct?
Solved! Go to Solution.
07-20-2023 08:47 AM
Update: Found what I was looking for:
https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html
gives all the commands I was after, especially important are the ones that will tell you what the switch supports as well as the commands to remove insecure ciphers and completely ban TLS 1.0 and 1.1
07-07-2023 11:29 AM - edited 07-07-2023 11:49 AM
can I see SSL config ?
07-07-2023 11:38 AM
Fri Jul 07 2023 13:37:26 GMT-0500 (Central Daylight Time)
===================================================================================
#show ip ssh
SSH Enabled - version 1.99
Authentication methods:publickey,keyboard-interactive,password
Authentication Publickey Algorithms:x509v3-ssh-rsa,ssh-rsa
Hostkey Algorithms:x509v3-ssh-rsa,ssh-rsa
Encryption Algorithms:aes128-ctr,aes192-ctr,aes256-ctr
MAC Algorithms:hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-sha1-96
KEX Algorithms:diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 2048 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded): TP-self-signed-1853278720
Modulus Size : 1024 bits
ssh-rsa: redacted
07-07-2023 12:32 PM
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [ecdh_x25519] - A
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 [secp256r1] - F
first the key exchange is same
the Auth is RSA
the Cipher use is same
except the KEY EXCHANGE algorithm is different.
so ecdh_x25519 and secp256r1
that make issue I think
so I need to see config especially the key exchange
07-07-2023 12:35 PM
The first listed item is from a totally different device. The list of seemingly available SSL/TLS cipher suites for the switch is missing anything higher than the second item. I need to know how to add the first into the switch (if possible) or otherwise update/upgrade the available cipher suites.
07-19-2023 12:01 PM
So, what commands would I need to issue here to change/update the Key Exchange algorithm? That's the part I'm needing most.
07-19-2023 12:07 PM - edited 07-19-2023 12:13 PM
I ALWAYS forget you are talking about ssl not ssh.
I will share command.
Thanks
MHM
07-20-2023 06:11 AM
I hate to pester but...any luck with the command(s)?
07-20-2023 06:51 AM
you use SSL for HTTP GUI access ?
07-20-2023 07:07 AM
HTTP/S GUI access among other things...SSH being another. Before we restrict the servers and end user machines via gpo to only use TLS 1.2 (since 1.3 isn't widely supported yet) we need to make sure the switches are capable of handling the same ciphers. And remove the obsolete cipher suites while we're at it. Anything we can do to increase security.
07-20-2023 08:47 AM
Update: Found what I was looking for:
https://mwhubbard.blogspot.com/2020/06/disable-weak-sshssl-ciphers-in-cisco-ios.html
gives all the commands I was after, especially important are the ones that will tell you what the switch supports as well as the commands to remove insecure ciphers and completely ban TLS 1.0 and 1.1
07-20-2023 09:03 AM
Glad you solve issue.
Sorry for late reply.
There are no command for ssl but there is command for http (ssl) and ssh' that why I ask do you use ssl for http.
Have a nice summer
MHM
07-20-2023 09:19 AM
BTW, for the 2960 and 1100, are they also running the latest IOS and/or a crypto version (also excluding export crypto versions)?
07-20-2023 09:55 AM
Both the 2960 and 1100 series are on the latest recommended release for their series.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide