We are currently running AOS version 18.02.03.00.E on a NetVanta 1300 Series access router. Is there a way to disable all weak ciphers when allowing HTTPS access to the internal web server/GUI? The device allows for DES 56-bit key (DES-CBC-SHA) which is now considered to be insecure.
Yes, you can disable it using the http secure-ciphersuite commands.
E.g.:
BT_900E(config)#do sho run ver | inc cipher
http secure-ciphersuite dhe-rsa-aes256-sha
http secure-ciphersuite aes256-sha
http secure-ciphersuite edh-rsa-des-cbc3-sha
http secure-ciphersuite des-cbc3-sha
http secure-ciphersuite des-cbc3-md5
http secure-ciphersuite dhe-rsa-aes128-sha
http secure-ciphersuite aes128-sha
http secure-ciphersuite rc4-sha
http secure-ciphersuite rc4-md5
http secure-ciphersuite edh-rsa-des-cbc-sha
http secure-ciphersuite des-cbc-sha
http secure-ciphersuite des-cbc-md5
BT_900E(config)#no http secure-ciphersuite des-cbc-sha
BT_900E(config)#
Hope this helps,
Brett
Yes, you can disable it using the http secure-ciphersuite commands.
E.g.:
BT_900E(config)#do sho run ver | inc cipher
http secure-ciphersuite dhe-rsa-aes256-sha
http secure-ciphersuite aes256-sha
http secure-ciphersuite edh-rsa-des-cbc3-sha
http secure-ciphersuite des-cbc3-sha
http secure-ciphersuite des-cbc3-md5
http secure-ciphersuite dhe-rsa-aes128-sha
http secure-ciphersuite aes128-sha
http secure-ciphersuite rc4-sha
http secure-ciphersuite rc4-md5
http secure-ciphersuite edh-rsa-des-cbc-sha
http secure-ciphersuite des-cbc-sha
http secure-ciphersuite des-cbc-md5
BT_900E(config)#no http secure-ciphersuite des-cbc-sha
BT_900E(config)#
Hope this helps,
Brett
I went ahead and flagged this post as “Assumed Answered.” If any of the responses on this thread assisted you, please mark them as either Correct or Helpful answers with the applicable buttons. This will make them visible and help other members of the community find solutions more easily. If you still need assistance, I would be more than happy to continue working with you on this - just let me know in a reply.
Levi
I went ahead and flagged the "Correct Answer" on this post to make it more visible and help other members of the community find solutions more easily. If you don't feel like the answer I marked was correct, feel free to come back to this post and unmark it and select another in its place with the applicable buttons. If you still need assistance, we would be more than happy to continue working with you on this - just let us know in a reply.
Thanks,
Levi