We help IT Professionals succeed at work.

SSH - How to Disable CBC Mode Cipher Encryption and Enable CTR or GCM Cipher Mode Encryption on ADTRAN Router?

BSBSupport
BSBSupport asked
on
Hi,

We have an ADTRAN Router that needs the config changed to do the following:

- Disable CBC Mode Cipher Encryption and Enable CTR or GCM Cipher Mode Encryption on ADTRAN Router

I need to know the steps on how to do this as I'm not familiar on the commands and everything and saving too.

I'm able to log into the router with the console cable successfully but other than that not familiar with the commands to get the job done.

Thanks
Comment
Watch Question

Top Expert 2015

Commented:
To change dropbear SSH ciphers you must recompile the router firmware.
Christopher Jay WolffWiggle My Legs, Owner

Commented:
Hey folks.  Not too sure about recompiling.


I guess the TLS Profile is created and configured using the tls-Profile command from the Global Configuration mode which is described on page 4643 of the AOS manual.  Do you have an AOS manual?  I got one from Adtran support and it is hyperlinked to make it's 5039 pages pretty helpful.

https://supportforums.adtran.com/docs/DOC-2011

It shows:


AOS manual information on configuring TLS Profile.
While reading about TLS Profiles on page 4643, click the link to "secure cyphersuite..." and the secure cypher suites supported are listed as:

AOS supported cypher suites.
Am I way off here or is this helpful?  It shows support for GCM in the list so maybe you only have to reconfigure your TLS profile.  Does this work?
Christopher Jay WolffWiggle My Legs, Owner

Commented:
Also , I read somewhere to use the "show" command to view your current TLS profile and see what cypher suites you are set to use.
Top Expert 2015

Commented:
SSH has nothing to do with TLS.

Author

Commented:
Hi,

Please refer to the following link on a similar situation:

http://www.experts-exchange.com/OS/Linux/Q_28595830.html

Is this similar to what has to be done for me?

If so please explain in detail what commands I would have to type in to accomplish this.

Thanks
Top Expert 2015

Commented:
I feel flattered ;)
Yes, if you use openssh then it will work. Usually embedded firmwares have dropbear where this config parameter is compile-time option.
Telnet to ssh port to check. if it says dropbear you are at loss.
Decided to upgrade the firmware to the current version and it resolved all issues.

Author

Commented:
Worked with Tech Support and they recommended to upgrade the firmware which would resolve all issues.