Solved: 9800-L-F WLC SSL Certificate Signed Using Weak Hashing Algorithm

lightda · ‎12-11-2024

Hi Comminity,

I have an issue here with WLC 9800-L-F.
I use Nessus to scan WLC, it found a High level issue: SSL Certificate Signed Using Weak Hashing Algorithm

It seems like I hit a bug of Sweet32: https://bst.cisco.com/quickview/bug/CSCvv09676
After checking, the SSL certificate which hit this issue was for Web-Admin use.

I've tried to search the way to fix it, but could not found, did anyone done this before?
Should I generate a new certificate with SHA-256?
no ip http secure-server is not in the options.

Rich R · ‎12-12-2024

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

View solution in original post

shambhu.kumar · ‎12-11-2024

Try this and re-scan, It will not detect vulnerability like, Deprecated SSH Cryptographic Settings or SSH Prefix Truncation Vulnerability (Terrapin)

ip ssh server algorithm mac hmac-sha2-256 hmac-sha2-512
ip ssh server algorithm encryption aes256-ctr
ip ssh server algorithm kex ecdh-sha2-nistp521
ip ssh server algorithm hostkey rsa-sha2-512 rsa-sha2-256
ip ssh server algorithm authentication keyboard

Regards

Rich R · ‎12-12-2024

@shambhu.kumar that config is for SSH not HTTPS!

What version of software are you using @lightda
Refer to the TAC recommended code versions link below.

See:
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/technical-reference/c9800-best-practices.html#Dealingwithtrustpoints
https://mrncciew.com/2023/09/11/9800-web-admin-certs/
https://www.cisco.com/c/en/us/td/docs/wireless/controller/9800/17-12/config-guide/b_wl_17_12_cg/m_web_admin_settings.html
https://www.youtube.com/watch?v=BbVi9OYaBjU

------------------------------
Please click Helpful if this post helped you and Select as Solution (drop down menu at top right of this reply) if this answered your query.
------------------------------
TAC recommended codes for AireOS WLC's and TAC recommended codes for 9800 WLC's
Best Practices for AireOS WLC's, Best Practices for 9800 WLC's and Cisco Wireless compatibility matrix
Check your 9800 WLC config with Wireless Config Analyzer using "show tech wireless" output or "config paging disable" then "show run-config" output on AireOS and use Wireless Debug Analyzer to analyze your WLC client debugs
Field Notice: FN63942 APs and WLCs Fail to Create CAPWAP Connections Due to Certificate Expiration
Field Notice: FN72424 Later Versions of WiFi 6 APs Fail to Join WLC - Software Upgrade Required
Field Notice: FN72524 IOS APs stuck in downloading state after 4 Dec 2022 due to Certificate Expired
- Fixed in 8.10.196.0, latest 9800 releases, 8.5.182.12 (8.5.182.13 for 3504) and 8.5.182.109 (IRCM, 8.5.182.111 for 3504)
Field Notice: FN70479 AP Fails to Join or Joins with 1 Radio due to Country Mismatch, RMA needed
How to avoid boot loop due to corrupted image on Wave 2 and Catalyst 11ax Access Points (CSCvx32806)
Field Notice: FN74035 - Wave2 APs DFS May Not Detect Radar After Channel Availability Check Time
Leo's list of bugs affecting 2800/3800/4800/1560 APs
Default AP console baud rate from 17.12.x is 115200 - introduced by CSCwe88390

lightda · ‎12-15-2024

Thanks for helping, it was useful,
My co-worker have open TAC Case to confirm the step, sharing step to otherelse:

#This will disable GUI access to the WLC – This will not affect anyone trying to authenticate to the SSID

no ip http server

no ip http secure-server

#This will create an RSA key called RSA-WLC-SSC

crypto key generate rsa label RSA-WLC-SSC modulus 2048

#This will create the trustpoint called WLC-SSC and give it the following configurations

Stronger Hash
Create it as a self signed certificate
Does not perform any revocation checks
Links the RSA key that we created above

crypto pki trustpoint WLC-SSC

hash sha256

enrollment selfsigned

revocation-check none

rsakeypair RSA-WLC-SSC

exit

#This will now apply the newly created trustpoint onto the WLC

crypto pki enroll WLC-SSC

yes

no

yes

#This will now configure the new trustpoint for web admin and enable GUI access

ip http secure-trustpoint WLC-SSC

ip http server

ip http secure-server