Showing results for 
Search instead for 
Did you mean: 

Cisco Expressway TLS Cipher


We did a security scan on our Cisco Expressway-E (version X8.9.1) and found that it is vulnerable to Birthday attacks against TLS ciphers with 64bit block size vulnerability (Sweet32) port 5061/tcp over SSL.


The threat indicates that: "Legacy block ciphers having block size of 64 bits are vulnerable to a practical collision attack when used in CBC mode.
All versions of SSL/TLS protocol support cipher suites which use DES, 3DES, IDEA or RC2 as the symmetric encryption cipher are affected."


Is there any way we can find out the cipher used for the TLS implementation? Is it documented somewhere?


Is there any fix for this vulnerability for Expressway?



Libin Benedict

Roger Kallberg
VIP Mentor

This has been fixed in some release quite some time ago, right now I don't recall the exact version. The version you're on is quite old. Recommendation would be to upgrade to one of the latest, either 12.5.6 or 12.5.7.


Response Signature

Hi Roger,

Thanks for the information.

Can you please let me know the cipher used in version X8.9.1 and whether it is documented somewhere?



Libin Benedict

Hi Libin,

I'm afraid that would be information I don't have. If you really need to know this I would recommend you to reach out to TAC. As stated before by me and others replying to this thread your version is outdated and it would be advisable to upgrade.

Response Signature

Good afternoon Roger,


We are using Expressway X12.5.5 version, is this using DES or 3DES?

Thanks in advance.

I have no idea. Likely none of them if I where to guess.

Response Signature


Your version is quite old, please share CVE-ID of your vulnerability.

Hi Vinod,


The CVE ID is CVE-2016-2183.



Libin Benedict

Hello LibinBenedict, 


Were you able to resolve this ?

Cisco Employee

Hello Libin,

In order to chechk the configured ciphres on your server, from the CLI using admin credintals " xconfiguration // cipher".

The output there will show you all the configured ciphers.

+ Also, the Vulnerability identified: CVE-2016-2183, is addressed in: CSCvb49322 and it is fixed in x8.9.

For example, to set the current Cisco VCS/ EXP default suite, use: xConfiguration SIP TLS CipherSuite: ALL:!EXP:!LOW:!MD5:@STRENGTH:+ADH

For example:

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:!RC4:@STRENGTH:+ADH"

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:@STRENGTH:+ADH"

So if you only want to disable DES or even DES:

xConfiguration SIP TLS CipherSuite: "ALL:!EXP:!LOW:!MD5:!3DES:DES:@STRENGTH:+ADH"

All encryption methods use common algorithms. Security comes from the key, a number which is passed to the algorithm to tell it how to encrypt the data. A commonly employed communications encryption method is the "Data Encryption Standard" (DES). DES works by encrypting data with a 56-bit long key. Triple DES (3DES) is an enhancement to DES that effectively runs 112-bit long keys. So when a device by design supports any of these from above scanners will detect they support one or a few of the low considered methods (by not being 128 bits long) and will normally trigger the recommendation for these not to be used, of course the systems also support strong methods longer than 128 bits as well.

The command shows the ciphers you can disable or tell the VCS to use, If you desire the order to be by strongest cipher instead, you can use the @STRENGTH keyword. As for the format of the list itself, the cipher strings should be separated by colons and can feature the accepted cipher strings and these formatting options:

* "!" - These ciphers are permanently deleted from the list and cannot reappear in the list even if explicitly stated.

* "-" - These ciphers are deleted from the list but can be re-added by later options

* "+" - These ciphers are moved to the end of the list.

Please remember to rate responses and to mark your question as answered if appropriate.

Recognize Your Peers
Content for Community-Ad