08-12-2015 04:42 AM - edited 03-11-2019 11:24 PM
Hi all,
Want to disable CBC mode cipher encryption, and enable CTR or GCM cipher mode encryption and disable MD5 and 96-bit MAC algorithms
ASA version : 9.1.5(21)
Any idea.
Regards,
Bala
08-12-2015 05:34 AM
You can't, the options are quite limited. But you can configure your SSH-clients not to negotiate weak ciphers.
08-12-2015 11:03 PM
Is any doc or cisco release notes stating that it is not possible?
Options are quite limited means?
08-13-2015 12:12 PM
If you want to use TLSv2 ciphersuites you are going to have to upgrade to 9.3 or higher; they aren't supported on earlier versions.
-- Jim Leinweber, WI State Lab of Hygiene
08-13-2015 08:32 PM
Is TLSv2 applicable for SSH also? confirm.
08-14-2015 12:01 AM
No, TLS 1.2 in ASA versions 9.3 and higher can be used with the actual AnyConnect client. But it's unrelated to SSH.
08-14-2015 12:05 AM
Correct.
Is there any cisco doc or release note showing that no workaround in Cisco ASA for SSH vulnerability.
If limited possibilities are documented, at least share that link.
08-14-2015 12:08 AM
All what you can do is documented in the config-guide.
08-14-2015 03:30 AM
you are referring which config-guide. can you share the link?
08-14-2015 03:43 AM
08-14-2015 05:28 AM
If we enable SSH authentication, can we mitigate that vulnerability?
08-14-2015 05:51 AM
SSH always works with authentication. That's not related to the used ciphers.
08-14-2015 12:03 AM
To my knowledge it's not documented that it's not possible ... Only the limited possibilities are documented, and that's mainly that you can restrict SSH to version 2 and configure the DH to group14.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide