Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Webcast-Catalyst9k
New Member

CNA and HTTPS with new IOS Version

Hello,

i have a problem with CNA and all of my 2960X Switch with newer IOS Versions.

Version 15.0-2a.EX5 : HTTP and HTTPS works fine in CNA

after Update to

Version 15.2-2.E3 : only HTTP works, HTTPS doesn't work, i get an Device not reachable.

CLI get the following message

Nov 24 09:24:23: %HTTPS: SSL handshake fail (-6992)
Nov 24 09:24:23: HTTP: ssl handshake failed (-40404)

Nov 24 09:24:23: HTTP: sock rd ev socket error EPIPE (0x20)

Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15  ok
        Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:23: HTTP: Priv level granted 15
Nov 24 09:24:23: Tue, 24 Nov 2015 08:24:23 GMT 192.168.99.15 /exec/show/version/CR ok
        Protocol = HTTP/1.1 Method = GET
Nov 24 09:24:23:
Nov 24 09:24:24: HTTP: Priv level granted 15
Nov 24 09:24:24: Tue, 24 Nov 2015 08:24:24 GMT 192.168.99.15 /exec/show/cluster/CR ok
        Protocol = HTTP/1.1 Method = GET

 

Today i get the same behaviour with a 2960+ when updating to Version 15.0-2.SE8

Is there a bug in the newer IOS Versions ?

4 REPLIES

same issue in different

same issue in different browsers?

try 

(config)#no crypto pki trustpoint TP-self-signed-xxxxxxxx

(config)#crypto key zeroize rsa

(config)#crypto key generate rsa

Please remember to rate useful posts, by clicking on the stars below.

New Member

Hello,

Hello,

no changes when deleting and generating keys, updatein to 15.0-2SE9 has the same effects

but now i have another debug message:

Cat3560X-48P-UG-1#deb ssl openssl errors
TLS errors debugging is on
Cat3560X-48P-UG-1#
*Jan  2 02:01:12: CRYPTO_OPSSL: SSL3.0 is no longer supported.Enabling TLSv1
*Jan  2 02:01:12: opssl_SetPKIInfo entry
*Jan  2 02:01:12: opssl_SetPKIInfo done.
*Jan  2 02:01:12: 0:error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number:../VIEW_ROOT/cisco.comp/pki_ssl/src/openssl/dist/ssl/s3_pkt.c:315:

*Jan  2 02:01:12: %HTTPS: SSL handshake fail (-6992)
*Jan  2 02:01:12: HTTP: ssl handshake failed (-40404)

Cat3560X-48P-UG-1#

I'm nor really firm with HTTPS/SSL , could this be the error ?

if yes, how can i fix my problem ?

thanks

VIP Gold

Server (e.g. switch) no

Server (e.g. switch) no longer support broken/insecure SSL3 but client seems use it (thus it is refused). Either upgrade client or downgrade server.

New Member

Hi,

Hi,

it's a security bug or feature

Symptom: CNA works with SSL protocol, however because of POODLE vulnerability, Cisco has disabled SSL on the newer versions of IOS starting from 15.0(02)SE08 on 2960, 3750 switches.

Workaround: Enable HTTP and access the switch from CNA via HTTP, it works.
 

625
Views
0
Helpful
4
Replies
CreatePlease to create content