TLS v1.2 on Catalyst Switches

I need to update a bunch of catalyst switches from TLSv1.1 to TLSv1.2. Also need to disable older ciphers. Has anyone implemented this before?

Please share the steps as I can't seem to find anything documentation online for this.

Thank you.
EKITAAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ArneLoviusCommented:
Not all Cisco devices support TLS 1.2, what model are you running, and what IOS level ?

To set the cipher suites

ip http secure-ciphersuite

Open in new window


https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/https/command/nm-https-cr-book/nm-https-cr-cl-sh.html#wp3059595868
0
btanExec ConsultantCommented:
old cisco compliance document but share the TLS 1.2 Capable Products (and replacement candidate)
https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise/design-zone/ssl-tls-vulnerability-response.pdf
.. and recommended TLS and cipher suite, as mentioned by expert to use "ip http secure-ciphersuite" in which the latter can specify the CipherSuites (encryption algorithms) to be used for encryption over the HTTPS connection.
https://www.cisco.com/c/en/us/about/security-center/next-generation-cryptography.html#15

Use the ip http secure-ciphersuite command with the context sensitive help i.e., the ?, and it will tell you which ciphers are supported on the IOS version you have. Simply include only those ciphers you want to run as options to the command and those left out is disabled. Or you should also be able to see which ciphers are supported with the show ip http server secure status command. Example:
c1kv-1(config)#ip http secure-ciphersuite ?
  3des-ede-cbc-sha  Encryption type ssl_rsa_with_3des_ede_cbc_sha ciphersuite
  des-cbc-sha            Encryption type ssl_rsa_with_des_cbc_sha ciphersuite
  rc4-128-md5          Encryption type ssl_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha           Encryption type ssl_rsa_with_rc4_128_sha ciphersuite

c1kv-1(config)#ip http secure-ciphersuite 3des-ede-cbc-sha
c1kv-1(config)#end
c1kv-1#show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint:
HTTP secure server active session modules: ALL
For TLS 1.2 list of cipher suite, can take guidance from this
Use 3072-bit certificates with cipher suites that include TLS_RSA_.

Use 3072-bit DH or 256-bit or 384-bit ECDH and ECDSA with cipher suites that include:
TLS_DH_
TLS_ECDH_
TLS_ECDH_ECDSA or TLS_RSA_ECDSA

Configure the negotiated TLS cipher suites to include AES-128 or AES-256 GCM as the encryption algorithms and SHA-256 or SHA-384 for the hashes. The negotiated cipher suites should include:
WITH_AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384
WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384

Reference "Configuring Secure Socket Layer HTTP"https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960x/software/15-0_2_EX/security/configuration_guide/b_sec_152ex_2960-x_cg/b_sec_152ex_2960-x_cg_chapter_01010.pdf
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
EKITAAuthor Commented:
ArneLovius,

running a mixed environment of 3560s/3650s & 2960x.
0
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

ArneLoviusCommented:
tab completion after  "ip http secure-ciphersuite" should show you what is available, if they only start with SSL, then they don;t have TLS
0
EKITAAuthor Commented:
Here is what I have:

3des-ede-cbc-sha     Encryption type tls_rsa_with_3des_ede_cbc_sha ciphersuite
  aes-128-cbc-sha      Encryption type tls_rsa_with_aes_cbc_128_sha ciphersuite
  aes-256-cbc-sha      Encryption type tls_rsa_with_aes_cbc_256_sha ciphersuite
  des-cbc-sha          Encryption type tls_rsa_with_des_cbc_sha ciphersuite
  dhe-aes-128-cbc-sha  Encryption type tls_dhe_rsa_with_aes_128_cbc_sha ciphersuite
  dhe-aes-256-cbc-sha  Encryption type tls_dhe_rsa_with_aes_256_cbc_sha ciphersuite
  rc4-128-md5          Encryption type tls_rsa_with_rc4_128_md5 ciphersuite
  rc4-128-sha          Encryption type tls_rsa_with_rc4_128_sha ciphersuite


was planning to add this:

ip http secure-ciphersuite  dhe-aes-256-cbc-sha

don't see any option for AES_128_GCM_SHA256 or WITH_AES_256_GCM_SHA384 or WITH_AES_256_GCM_SHA256 or WITH_AES_256_GCM_SHA384
0
btanExec ConsultantCommented:
The switch iOS does not support sha2. The sha-2 support (as part of Suite B) wasn't introduced until release of 15.1(2)T for the software crypto engine. You may have to check further the device support.
0
EKITAAuthor Commented:
the switch is running  15.0.2-SE11 and which happens to be the latest software for this switch model
0
btanExec ConsultantCommented:
0
EKITAAuthor Commented:
Thanks. What about 3650s & 2960s? They are not listed. does that mean they don't support TLS1.2 also.

What is the best options if all models listed don't support TLS? Disable http & https with:

no ip http server
no ip http secure-server
0
btanExec ConsultantCommented:
The best way is still to list out the cipher to see if they support TLS1.2 as discussed in previous post. If you are not using the http server then just disable it. You see suggestion too. As a whole it is the cipher that is weak,on top of the other hardening, hence best is to enable only the most secure cipher possibly supported. Do your testing too.  
https://supportforums.cisco.com/t5/other-security-subjects/disabling-weak-ciphers/m-p/1538734/highlight/true#M136646
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Switches / Hubs

From novice to tech pro — start learning today.