Cisco Support Community
Community Member

Disabling Weak Ciphers

How do I disable weak ciphers on an ASA 5520 and a 2800 series router?

I am being told I only need to force the use of SSL2 and weak ciphers will be disabled.

Is this correct and where can I get information to confirm it?


Re: Disabling Weak Ciphers

you can restrict ASA and IOS SSL ciphersuites using these commands:

on ios: ip http secure-ciphersuite

on asa: ssl encryption

for more info:

Hope this helps.



Cisco Employee

Re: Disabling Weak Ciphers

On the ASA you also have a FIPS compliance command "§fips enable" that will enforce FIPS compliance.

For the router not the "auto-secure" feature that locks the router down.

I hope it helps.


Community Member



I have cisco asa 5525x I need help to resolve below case for hardening 

1. SSH Weak Cipher Used- How I cand use here 3des or AES 

2. ssh Weak Cipher Used-  How Remove RC4-SHA1 in ssl Setting


Hall of Fame Super Silver

For ssh, use the "ssh cipher

For ssh, use the "ssh cipher encryption" command in config mode. 

Note that your ssh client software (and any management programs that use ssh to log inot the ASA) need to support stroing ciphers.

For ssl, use the "ssl cipher encryption" command.

Note that setting strong ciphers for SSL will require you to download the Java Cryptographic Extensions (JCE) and keep them in your Java security folder across Java upgrades to be able to use ASDM to manage ASAs thus secured.

Example for ssh:

asa# show ssh ciphers
Available SSH Encryption and Integrity Algorithms
Encryption Algorithms:
all: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
low: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
medium: 3des-cbc aes128-cbc aes192-cbc aes256-cbc aes128-ctr aes192-ctr aes256-ctr
fips: aes128-cbc aes256-cbc
high: aes256-cbc aes256-ctr
Integrity Algorithms:
all: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
low: hmac-sha1 hmac-sha1-96 hmac-md5 hmac-md5-96
medium: hmac-sha1 hmac-sha1-96
fips: hmac-sha1
high: hmac-sha1
asa(config)# ssh cipher encryption ?
configure mode commands/options:
all Specify all ciphers
custom Choose a custom cipher encryption configuration string.
fips Specify only FIPS-compliant ciphers
high Specify only high-strength ciphers
low Specify low, medium, and high strength ciphers
medium Specify medium and high strength ciphers (default)
Community Member

I have C2960 switch 

I have C2960 switch 


IOS  - c2960s-universalk9-mz.122-55.SE10

1.HTTP Basic Authentication Enabled (http-basic-auth-clear text)


2.TLS/SSL Server Supports Weak Cipher Algorithms (ssl-weak-ciphers)


3.Untrusted TLS/SSL server X.509 certificate (tls-untrusted-ca)

How can i fix it please advice


Hall of Fame Super Silver

If you are not using the http

If you are not using the http server then just disable it:

no ip http server
no ip http secure-server

If you must use it (such as is required in order to use Cisco Network Assistant) and want to eliinate those audit flags then you have to address the issues one by one:

1. Don't use the ip http server since it can only use unsecured (clear text) authentication.

2. Create a new strong private key for your server to use in an SSL certificate. I wrote a post about 4 years ago that outlines how to do this:

Then restrict your http secure-server to more secure cipher suite as shown here:

If you need to go with a suite stronger than 3DES (like AES) then you would have to upgrade to a newer IOS in the 15.1(2) or later range.

3. Get a certificate for the switch by creating a Certificate Signing Request and submitting it to a trusted public CA. (I have never seen anybody do this for a switch in my many years of securing networks.)

Or instead of all of the above you could simply undertake to implement a compensating control like an access-list to restrict http/https access to a small set of trusted computers like a management subnet.

Community Member

I did all of that ,but i

I did all of that ,but i cannot login to the switch via https

ip https secure server enabled

From IE 11

This page can’t be displayed

Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to ; again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.

Change settings


Hall of Fame Super Silver

Can you share the running

Can you share the running configuration?

Community Member

pls find the attachment

pls find the attachment

Hall of Fame Super Silver

You have the command:

You have the command:

ip http secure-client-auth

That requires a client-side certificate to securely authenticate to the server (i.e., your switch). Please remove that command and try again. 

Community Member

Yes correct ..but after that

Yes correct ..but after that tried to login

Certificate Error: Navigation Blocked

Hall of Fame Super Silver

Since the certificate is self

Since the certificate is self-signed by the switch, you need to have it in your trusted certificate store for IE to navigate to it. 

Easiest is to just use Firefox and tell it to add an exception for the site. 

While in Firefox you can also download the certificate. Then add it to your trusted root CA store in Windows. After you have done that you can re-launch IE and it should open fine. 

CreatePlease to create content