TLS v1.2 on Catalyst Switches

I need to update a bunch of catalyst switches from TLSv1.1 to TLSv1.2. Also need to disable older ciphers. Has anyone implemented this before?

Please share the steps as I can't seem to find anything documentation online for this.

Thank you.
EKITAAsked:
Who is Participating?
 
btanExec ConsultantCommented:
old cisco compliance document but share the TLS 1.2 Capable Products (and replacement candidate)
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone/ssl-tls-vulnerability-response.pdf
.. and recommended TLS and cipher suite, as mentioned by expert to use "ip http secure-ciphersuite" in which the latter can specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection.
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#15

Use the ip http secure-ciphersuite command with the context sensitive help i.e., the ?, and it will tell you which ciphers are supported on the IOS version you have. Simply include only those ciphers you want to run as options to the command and those left out is disabled. Or you should also be able to see which ciphers are supported with the show ip http server secure status command. Example:
c1kv-1(config)#ip http secure-ciphersuite ?
  3des-ede-cbc-sha  Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
  des-cbc-sha            Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
  rc4-128-md5          Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha           Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
For TLS 1.2 list of cipher suite, can take guidance from this
Use 3072-bit certificates with cipher suites that include TLS_RSA_.

Use 3072-bit DH or 256-bit or 384-bit ECDH and ECDSA with cipher suites that include:
TLS_DH_
TLS_ECDH_
TLS_ECDH_ECDSA or TLS_RSA_ECDSA

Configure the negotiated TLS cipher suites to include AES-128 or AES-256 GCM as the encryption algorithms and SHA-256 or SHA-384 for the hashes. The negotiated cipher suites should include:
WITH_AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384
WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384

Reference "Configuring Secure Socket Layer HTTP"https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01010.pdf
0
 
ArneLoviusCommented:
Not all Cisco devices support TLS 1.2, what model are you running, and what IOS level ?

To set the cipher suites

ip http secure-ciphersuite

Open in new window


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book/nm-https-cr-cl-sh.html#wp3059595868
0
 
EKITAAuthor Commented:
ArneLovius,

running a mixed environment of 3560s/3650s & 2960x.
0
Choose an Exciting Career in Cybersecurity

Help prevent cyber-threats and provide solutions to safeguard our global digital economy. Earn your MS in Cybersecurity. WGU’s MSCSIA degree program was designed in collaboration with national intelligence organizations and IT industry leaders.

 
ArneLoviusCommented:
tab completion after  "ip http secure-ciphersuite" should show you what is available, if they only start with SSL, then they don;t have TLS
0
 
EKITAAuthor Commented:
Here is what I have:

3des-ede-cbc-sha     Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
  aes-128-cbc-sha      Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
  aes-256-cbc-sha      Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
  des-cbc-sha          Encryption type tls_rsa_with_des_cbc_sha ciphersuite
  dhe-aes-128-cbc-sha  Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
  dhe-aes-256-cbc-sha  Encryption type tls_dhe_rsa_with_aes_256_cbc_sha ciphersuite
  rc4-128-md5          Encryption type tls_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha          Encryption type tls_rsa_with_rc4_128_sha ciphersuite


was planning to add this:

ip http secure-ciphersuite  dhe-aes-256-cbc-sha

don't see any option for AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384 or WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384
0
 
btanExec ConsultantCommented:
The switch iOS does not support sha2. The sha-2 support (as part of Suite B) wasn't introduced until release of 15.1(2)T for the software crypto engine. You may have to check further the device support.
0
 
EKITAAuthor Commented:
the switch is running  15.0.2-SE11 and which happens to be the latest software for this switch model
0
 
btanExec ConsultantCommented:
0
 
EKITAAuthor Commented:
Thanks. What about 3650s & 2960s? They are not listed. does that mean they don't support TLS1.2 also.

What is the best options if all models listed don't support TLS? Disable http & https with:

no ip http server
no ip http secure-server
0
 
btanExec ConsultantCommented:
The best way is still to list out the cipher to see if they support TLS1.2 as discussed in previous post. If you are not using the http server then just disable it. You see suggestion too. As a whole it is the cipher that is weak,on top of the other hardening, hence best is to enable only the most secure cipher possibly supported. Do your testing too.  
https://supportforums.cisco.com/t5/other-security-subjects/disabling-weak-ciphers/m-p/1538734/highlight/true#M136646
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.