06-07-2022 09:10 PM - edited 06-07-2022 09:12 PM
Hi Team,
Recently I got a report from my security team, stating that there is Weak SSL/TLS Key Exchange on our expressway deployment. The report is generated from Qualys. The result said this:
PROTOCOL NAME GROUP KEY-SIZE FORWARD-SECRET CLASSICAL-STRENGTH QUANTUM-STRENGTH
TLSv1.2 ECDHE secp192r1 192 yes 96 low
On the solution tab of the report, it is stated that:
Change the SSL/TLS server configuration to only allow strong key exchanges.
On Maintenance -> Security -> Ciphers, here are the entry on the ciphers:
EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL
Here are the output when I issue xconfiguration // ciphers command:
xconfiguration // ciphers
*c xConfiguration Ciphers ForwardProxyTLSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL"
*c xConfiguration Ciphers ForwardProxyTLSProtocol Value: "minTLSv1.2"
*c xConfiguration Ciphers HTTPSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL"
*c xConfiguration Ciphers HTTPSProtocol Value: "minTLSv1.2"
*c xConfiguration Ciphers RemoteSyslog1TLSCiphers Value: "ALL"
*c xConfiguration Ciphers RemoteSyslog1TLSProtocol Value: "minTLSv1.0"
*c xConfiguration Ciphers RemoteSyslog2TLSCiphers Value: "ALL"
*c xConfiguration Ciphers RemoteSyslog2TLSProtocol Value: "minTLSv1.0"
*c xConfiguration Ciphers RemoteSyslog3TLSCiphers Value: "ALL"
*c xConfiguration Ciphers RemoteSyslog3TLSProtocol Value: "minTLSv1.0"
*c xConfiguration Ciphers RemoteSyslog4TLSCiphers Value: "ALL"
*c xConfiguration Ciphers RemoteSyslog4TLSProtocol Value: "minTLSv1.0"
*c xConfiguration Ciphers ReverseProxyTLSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL"
*c xConfiguration Ciphers ReverseProxyTLSProtocol Value: "minTLSv1.2"
*c xConfiguration Ciphers SIPTLSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:+ADH"
*c xConfiguration Ciphers UcClientTLSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL"
*c xConfiguration Ciphers UcClientTLSProtocol Value: "minTLSv1.2"
*c xConfiguration Ciphers XCPTLSCiphers Value: "EECDH:EDH:HIGH:-AES256+SHA:!MEDIUM:!LOW:!3DES:!MD5:!PSK:!eNULL:!aNULL"
*c xConfiguration Ciphers XCPTLSProtocol Value: "minTLSv1.2"
*c xConfiguration Ciphers sshd_ciphers Value: "aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr,aes256-cbc,aes192-cbc,aes128-cbc"
*c xConfiguration Ciphers sshd_kex Value: "ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1"
*c xConfiguration Ciphers sshd_macs Value: "hmac-sha2-512,hmac-sha2-256,hmac-sha1"
*c xConfiguration Ciphers sshd_pfwd_ciphers Value: "aes256-ctr"
*c xConfiguration Ciphers sshd_pfwd_kexalgorithms Value: "ecdh-sha2-nistp384"
*c xConfiguration Ciphers sshd_pfwd_pubkeyalgorithms Value: "x509v3-sign-rsa"
*c xConfiguration Authentication ADS CipherSuite: "HIGH:MEDIUM:!ADH:!aNULL:!eNULL:-AES128-SHA256:@STRENGTH"
I am running 12.5.4 on the expressway. May I know how to resolve it? Thank you.
07-01-2022 12:28 AM
Hi Bruno,
Is that a statement from TAC?
07-01-2022 03:34 AM
Hi,
it´s correct, it´s from Cisco TAC.
07-10-2022 06:59 PM
Hi,
Got any word back from Cisco regarding this issue?
07-12-2022 05:20 AM
You can click the notification bell on the bug, and you'll get an email when the bug changes status - that way you can stay up to date on any additions. Given X14.2 is listed (and not released yet) it may take some time for them to evaluate if making this change will break something else (something that doesn't support that exchange/key length) or when it should roll in.
07-12-2022 06:02 PM
Hi Adam,
I see, thank you for the explanation.
07-13-2022 06:28 AM
07-27-2022 09:34 PM
Update, built a new expressway running on 14.0.8, the scep192r1 still there. Bug status still open as well
07-27-2022 09:45 PM
09-16-2022 11:07 PM - edited 09-16-2022 11:07 PM
Hi @fdharmawan ,
How you are checking scep192r1 is still there. is there any command in VCS to check ?
I am not able to find this.
After upgrading to X14.2 VA mitigated .
08-09-2022 04:21 AM
Hi Vinod16,
I don't see x14.2 available yet publicly. Was this provided by TAC?
08-09-2022 05:41 AM
Just because the a product version is already announced in a Doc or a bug, doesn't mean it is already publicly available for download.
It just means, that the bug will be fixed in the upcoming version. Unitl it is available, you have to wait.
08-12-2022 02:22 AM
09-02-2022 12:21 AM
Hi,
I have tested to install expressway 14.2 on test environment, and the issue was gone. But, I haven't upgraded to the version yet, as it requires smart license on expressway.
09-02-2022 12:58 AM
10-19-2022 06:56 PM
Hi Vinod,
I installed 14.2 on my lab and used OpenSSL to confirm. Currently waiting for others to try 14.2.1 and get feedback from them, as the initial issue regarding
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide