3 Replies Latest reply on Feb 18, 2013 2:29 PM by levi

    Disable Weak Ciphers

    keystroke13 New Member

      We are currently running AOS version 18.02.03.00.E on a NetVanta 1300 Series access router. Is there a way to disable all weak ciphers when allowing HTTPS access to the internal web server/GUI? The device allows for DES 56-bit key (DES-CBC-SHA) which is now considered to be insecure.

        • Re: Disable Weak Ciphers
          btolbert Employee

          Yes, you can disable it using the http secure-ciphersuite commands.

           

          E.g.:

           

          BT_900E(config)#do sho run ver | inc cipher

          http secure-ciphersuite dhe-rsa-aes256-sha

          http secure-ciphersuite aes256-sha

          http secure-ciphersuite edh-rsa-des-cbc3-sha

          http secure-ciphersuite des-cbc3-sha

          http secure-ciphersuite des-cbc3-md5

          http secure-ciphersuite dhe-rsa-aes128-sha

          http secure-ciphersuite aes128-sha

          http secure-ciphersuite rc4-sha

          http secure-ciphersuite rc4-md5

          http secure-ciphersuite edh-rsa-des-cbc-sha

          http secure-ciphersuite des-cbc-sha

          http secure-ciphersuite des-cbc-md5

          BT_900E(config)#no http secure-ciphersuite des-cbc-sha

          BT_900E(config)#

           

          Hope this helps,

          Brett

          • Re: Disable Weak Ciphers
            levi Employee

            keystroke13:

             

            I went ahead and flagged this post as “Assumed Answered.”  If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons.  This will make them visible and help other members of the community find solutions more easily.  If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.

             

            Levi

            • Re: Disable Weak Ciphers
              levi Employee

              keystroke13:

               

              I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons.  If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.

               

              Thanks,

               

              Levi