For ssh, use the "ssh cipher

k.romer · ‎10-28-2010

How do I disable weak ciphers on an ASA 5520 and a 2800 series router?

I am being told I only need to force the use of SSL2 and weak ciphers will be disabled.

Is this correct and where can I get information to confirm it?

fadlouni · ‎10-29-2010

you can restrict ASA and IOS SSL ciphersuites using these commands:

on ios: ip http secure-ciphersuite

on asa: ssl encryption

for more info:

http://www.cisco.com/en/US/docs/ios/netmgmt/configuration/guide/nm_https_sc_ssl3_ps6441_TSD_Products_Configuration_Guide_Chapter.html#wp1054834

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511225

Hope this helps.

Regards,

Fadi.

Panos Kampanakis · ‎10-29-2010

On the ASA you also have a FIPS compliance command "§fips enable" that will enforce FIPS compliance.

For the router not the "auto-secure" feature that locks the router down.

I hope it helps.

PK

sudhir.patil1990 · ‎12-18-2016

hi,

I have cisco asa 5525x I need help to resolve below case for hardening

1. SSH Weak Cipher Used- How I cand use here 3des or AES

2. ssh Weak Cipher Used- How Remove RC4-SHA1 in ssl Setting

sudhir.

Marvin Rhoads · ‎01-13-2017

For ssh, use the "ssh cipher encryption" command in config mode.

Note that your ssh client software (and any management programs that use ssh to log inot the ASA) need to support stroing ciphers.

For ssl, use the "ssl cipher encryption" command.

Note that setting strong ciphers for SSL will require you to download the Java Cryptographic Extensions (JCE) and keep them in your Java security folder across Java upgrades to be able to use ASDM to manage ASAs thus secured.

Example for ssh:

asa# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
 all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 medium: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr 
 fips: aes128-cbc aes256-cbc 
 high: aes256-cbc aes256-ctr 
Integrity Algorithms:
 all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96 
 medium: hmac-sha1 hmac-sha1-96
 fips: hmac-sha1 
 high: hmac-sha1 
asa#

asa(config)# ssh cipher encryption ?
configure mode commands/options:
 all Specify all ciphers
 custom Choose a custom cipher encryption configuration string.
 fips Specify only FIPS-compliant ciphers
 high Specify only high-strength ciphers
 low Specify low, medium, and high strength ciphers
 medium Specify medium and high strength ciphers (default)
asa(config)#

leyakhath muhammed · ‎05-25-2017

I have C2960 switch

IOS - c2960s-universalk9-mz.122-55.SE10

1.HTTP Basic Authentication Enabled (http-basic-auth-clear text)

2.TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)

3.Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

How can i fix it please advice

Thanks

Marvin Rhoads · ‎05-25-2017

If you are not using the http server then just disable it:

no ip http server
no ip http secure-server

If you must use it (such as is required in order to use Cisco Network Assistant) and want to eliinate those audit flags then you have to address the issues one by one:

1. Don't use the ip http server since it can only use unsecured (clear text) authentication.

2. Create a new strong private key for your server to use in an SSL certificate. I wrote a post about 4 years ago that outlines how to do this:

https://supportforums.cisco.com/discussion/11959386/change-certificate-used-cisco-3850

Then restrict your http secure-server to more secure cipher suite as shown here:

http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book/nm-https-cr-cl-sh.html#wp5030573150

If you need to go with a suite stronger than 3DES (like AES) then you would have to upgrade to a newer IOS in the 15.1(2) or later range.

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/116055-technote-ios-crypto.html#anc5

3. Get a certificate for the switch by creating a Certificate Signing Request and submitting it to a trusted public CA. (I have never seen anybody do this for a switch in my many years of securing networks.)

Or instead of all of the above you could simply undertake to implement a compensating control like an access-list to restrict http/https access to a small set of trusted computers like a management subnet.

leyakhath muhammed · ‎05-26-2017

I did all of that ,but i cannot login to the switch via https

https://supportforums.cisco.com/discussion/11959386/change-certificate-u...

ip https secure server enabled

From IE 11

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://192.168.0.19 ; again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Change settings

Thanks

Marvin Rhoads · ‎05-27-2017

Can you share the running configuration?

leyakhath muhammed · ‎05-27-2017

pls find the attachment

Marvin Rhoads · ‎05-27-2017

You have the command:

ip http secure-client-auth

That requires a client-side certificate to securely authenticate to the server (i.e., your switch). Please remove that command and try again.

leyakhath muhammed · ‎05-27-2017

Yes correct ..but after that tried to login

Certificate Error: Navigation Blocked

Marvin Rhoads · ‎05-27-2017

Since the certificate is self-signed by the switch, you need to have it in your trusted certificate store for IE to navigate to it.

Easiest is to just use Firefox and tell it to add an exception for the site.

While in Firefox you can also download the certificate. Then add it to your trusted root CA store in Windows. After you have done that you can re-launch IE and it should open fine.

Disabling Weak Ciphers