Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1912
Views
0
Helpful
4
Replies

CNA and HTTPS with new IOS Version

swelsch
Level 1
Level 1

‎11-24-2015 12:40 AM - edited ‎03-03-2019 08:03 AM

Hello,

i have a problem with CNA and all of my 2960X Switch with newer IOS Versions.

Version 15.0-2a.EX5 : HTTP and HTTPS works fine in CNA

after Update to

Version 15.2-2.E3 : only HTTP works, HTTPS doesn't work, i get an Device not reachable.

CLI get the following message

Nov 24 09:24:23: %HTTPS: SSL handshake fail (-6992)
Nov 24 09:24:23: HTTP: ssl handshake failed (-40404)

Nov 24 09:24:23: HTTP: sock rd ev socket error EPIPE (0x20)

Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15  ok
        Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15 /exec/show/version/CR ok
        Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:24: HTTP: Priv level granted 15
Nov 24 09:24:24: Tue, 24 Nov 2015 08:24:24 GMT 192.168.99.15 /exec/show/cluster/CR ok
        Protocol = HTTP/1.1 Method = GET

 

Today i get the same behaviour with a 2960+ when updating to Version 15.0-2.SE8

Is there a bug in the newer IOS Versions ?

Labels:
0 Helpful
4 Replies 4

Dennis Mink
VIP Alumni
VIP Alumni

‎11-29-2015 02:38 PM

same issue in different browsers?

try 

(config)#no crypto pki trustpoint TP-self-signed-xxxxxxxx

(config)#crypto key zeroize rsa

(config)#crypto key generate rsa

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

swelsch
Level 1
Level 1
In response to Dennis Mink

‎12-11-2015 07:37 AM

Hello,

no changes when deleting and generating keys, updatein to 15.0-2SE9 has the same effects

but now i have another debug message:

Cat3560X-48P-UG-1#deb ssl openssl errors
TLS errors debugging is on
Cat3560X-48P-UG-1#
*Jan  2 02:01:12: CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling TLSv1
*Jan  2 02:01:12: opssl_SetPKIInfo entry
*Jan  2 02:01:12: opssl_SetPKIInfo done.
*Jan  2 02:01:12: 0:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:315:

*Jan  2 02:01:12: %HTTPS: SSL handshake fail (-6992)
*Jan  2 02:01:12: HTTP: ssl handshake failed (-40404)

Cat3560X-48P-UG-1#

I'm nor really firm with HTTPS/SSL , could this be the error ?

if yes, how can i fix my problem ?

thanks

0 Helpful

Dan Lukes
VIP Alumni
VIP Alumni
In response to swelsch

‎12-15-2015 12:01 PM

Server (e.g. switch) no longer support broken/insecure SSL3 but client seems use it (thus it is refused). Either upgrade client or downgrade server.

0 Helpful

swelsch
Level 1
Level 1
In response to Dan Lukes

‎12-16-2015 02:04 AM

Hi,

it's a security bug or feature

Symptom: CNA works with SSL protocol, however because of POODLE vulnerability, Cisco has disabled SSL on the newer versions of IOS starting from 15.0(02)SE08 on 2960, 3750 switches.

Workaround: Enable HTTP and access the switch from CNA via HTTP, it works.
 

0 Helpful
Customers Also Viewed These Support Documents