SSH - How to Disable CBC Mode Cipher Encryption and Enable CTR or GCM Cipher Mode Encryption on ADTRAN Router?


We have an ADTRAN Router that needs the config changed to do the following:

- Disable CBC Mode Cipher Encryption and Enable CTR or GCM Cipher Mode Encryption on ADTRAN Router

I need to know the steps on how to do this as I'm not familiar on the commands and everything and saving too.

I'm able to log into the router with the console cable successfully but other than that not familiar with the commands to get the job done.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

To change dropbear SSH ciphers you must recompile the router firmware.
Christopher Jay WolffWiggle My Legs, OwnerCommented:
Hey folks.  Not too sure about recompiling.

I guess the TLS Profile is created and configured using the tls-Profile command from the Global Configuration mode which is described on page 4643 of the AOS manual.  Do you have an AOS manual?  I got one from Adtran support and it is hyperlinked to make it's 5039 pages pretty helpful.

It shows:

AOS manual information on configuring TLS Profile.
While reading about TLS Profiles on page 4643, click the link to "secure cyphersuite..." and the secure cypher suites supported are listed as:

AOS supported cypher suites.
Am I way off here or is this helpful?  It shows support for GCM in the list so maybe you only have to reconfigure your TLS profile.  Does this work?
Christopher Jay WolffWiggle My Legs, OwnerCommented:
Also , I read somewhere to use the "show" command to view your current TLS profile and see what cypher suites you are set to use.
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

SSH has nothing to do with TLS.
BSBSupportAuthor Commented:

Please refer to the following link on a similar situation:

Is this similar to what has to be done for me?

If so please explain in detail what commands I would have to type in to accomplish this.

I feel flattered ;)
Yes, if you use openssh then it will work. Usually embedded firmwares have dropbear where this config parameter is compile-time option.
Telnet to ssh port to check. if it says dropbear you are at loss.
BSBSupportAuthor Commented:
Decided to upgrade the firmware to the current version and it resolved all issues.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
BSBSupportAuthor Commented:
Worked with Tech Support and they recommended to upgrade the firmware which would resolve all issues.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.