Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
5424
Views
10
Helpful
4
Replies

cipher block chaining

Go to solution
curtis03_2
Level 1
Level 1

‎03-07-2016 03:44 AM

Hi

A recent Nessus vul scan has highlighted several issues with my customer infrastructure comprising Cisco 3850 IOS-XE switch stacks (WS-C3850-48P  v03.06.00E).

Can anyone please confirm how I can fix the following issue: -

1) 'The SSH server is configured to use Cipher Block Chaining - disable CBC mode & enable CTR or GCM encryption'

Also the scan has highlighted numerous SSL issues which I presume are due to having 'ip http secure-server' configured. Am I correct to assume disabling 'ip http secure-server' will remove these SSL issues?

Many thanks for any help!

2 people had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to curtis03_2

‎03-07-2016 05:50 AM

Hi Curtis,

Happy to help.

Regards,

Aditya

Please proceed to rate and mark as correct this respond if it helped you.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-07-2016 04:02 AM

Hi Curtis,

The command you will want to look at is "ip ssh server algorithm encryption " command.

This allows you to change the encryption methods allowed for encrypting SSH sessions and you can disable Cipher Block Chaining (CBC) methods by omitting them from this configuration.

The configuration options available and how to implement them specifically are documented at this link:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_usr_ssh/configuration/15-s/sec-usr-ssh-15-s-book/sec-secure-shell-algorithm-ccc.html#concept_9C253BD1B6AC4F10AB86EFC33C7FECA8

Regards,

Aditya

Please rate helpful posts.

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to Aditya Ganjoo

‎03-07-2016 04:09 AM

Hi Curtis,

Some more info on this.

Cisco didn't disable the CBC mode ciphers because it needed to provide backward compatibility and this feature cannot be disabled, though the preferred method for the server is always CTR mode cipher if that is enabled.

CTR mode is enabled by your switch or router being upgraded to the fixed-in released versions, following enhancement details provided:

CSCty14415

https://tools.cisco.com/bugsearch/bug/CSCty14415/?reffering_site=dumpcr

So CBC cannot be disabled on Cisco switches or routers, and secondly, enable CTR encryption, which will be enabled after you upgrade your device to the fixed-in versions released under the above enhancement.

Regards,

Aditya

Please rate helpful posts.

0 Helpful

Go to solution
curtis03_2
Level 1
Level 1
In response to Aditya Ganjoo

‎03-07-2016 04:48 AM

Aditya thank you very much for such a prompt response

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to curtis03_2

‎03-07-2016 05:50 AM

Hi Curtis,

Happy to help.

Regards,

Aditya

Please proceed to rate and mark as correct this respond if it helped you.

0 Helpful
Customers Also Viewed These Support Documents
Top