Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
3225
Views
5
Helpful
7
Replies

Disabling TLS v1.1 at sw - (2)

Go to solution
Leftz
Level 4
Level 4

ā€Ž02-20-2023 08:01 AM

Hi 

This post is following the below link. The question is after changing TLS version, the security vulnerability report is same as before, meaning the change did not remediate the issue. Even if the http and https were disabled, the issue is still existing. The report message is posted as below. Anyone has some suggestions? Thank you very much. 

 

https://community.cisco.com/t5/network-access-control/disabling-tls-v1-1-at-sw/td-p/4774454

----------------------------------------------------------------

172.16.10.10                                     IP            Ubuntu/Linux    host scanned, found vuln              38794    Secure Sockets Layer/Transport Layer Security (SSL/TLS) Server Supports Transport Layer Security (TLSv1.1)          Active   Vuln       3                443         tcp                          over ssl 44770.46245       44920.88127       29                                           Deprecating TLS 1.0 and TLS 1.1                          0              2.6 (AV:N/AC:H/Au:N/C:P/I:N/A:N)          2.2 (E:U/RL:U/RC:C)        Asset Group: Network Devices - US Network Devices - Austin, Collateral Damage Potential:  None, Target Distribution: None, Confidentiality Requirement: , Integrity Requirement: , Availability Requirement:               3.4          3.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N)               3.4 (E:U/RL:U/RC:C)        "Disable the use of TLSv1.1 protocol in favor of a cryptographically stronger protocol such as TLSv1.2.

The following openssl commands can be used to do a manual test:

openssl s_client -connect ip:port -tls1_1

 

If the test is successful, then the target support TLSv1.1"                TLSv1.1 is supported#    no                                           General remote services                               25           338         5

 

 

0 Helpful
3 Accepted Solutions

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP

ā€Ž02-20-2023 09:47 AM - edited ā€Ž02-20-2023 09:50 AM

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

 

View solution in original post

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

ā€Ž02-21-2023 11:53 AM

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

View solution in original post

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

ā€Ž02-23-2023 08:04 AM

@Leftz if disabled, I'd say the device will not be exploitable

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Rob Ingram
VIP
VIP

ā€Ž02-20-2023 09:47 AM - edited ā€Ž02-20-2023 09:50 AM

@Leftz if you http and https is disabled and you run openssl to test, then you should get Connection refused.

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_2
140579900519744:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
140579900519744:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

rob@ubuntu-1:~$ openssl s_client -connect 192.168.10.2:443 -tls1_1
139857395860800:error:0200206F:system library:connect:Connection refused:../crypto/bio/b_sock2.c:110:
139857395860800:error:2008A067:BIO routines:BIO_connect:connect error:../crypto/bio/b_sock2.c:111:
connect:errno=111

Can you confirm http is definately disabled

no ip http server
no ip http secure-server

Run "show run | inc tls" and confirm only TLS 1.2 is configured.

C3850(config)#do show run | inc tls
ip http tls-version TLSv1.2

You can confirm what the TLS version the switch configured to use using NMAP, as below

rob@ubuntu-1:~$ nmap -sV --script ssl-enum-ciphers -p 443 <ip address>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-02-20 17:26 UTC
Nmap scan report for 192.168.10.2
Host is up (0.0032s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http nginx
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (dh 4096) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 4096) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 4096) - A
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| compressors:
| NULL
| cipher preference: server
| warnings:
| Weak certificate signature: SHA1
|_ least strength: A

 

Go to solution
Leftz
Level 4
Level 4

ā€Ž02-21-2023 09:14 AM - edited ā€Ž02-21-2023 09:26 AM

@Rob Ingram Thank you very much for your reply.

command "openssl s_client -connect 192.168.10.2:443 -tls1_2" can not be run at router or switch. we are going to add Linux to run it.  Is there a similar cisco command to run for this purpose? 

I can only run the below two commands at this moment. 

ESW#show run | in tls
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2

ESW#sh run | in http
no ip http server
ip http authentication local
no ip http secure-server
ip http tls-version TLSv1.2
ip http client tls-version TLSv1.2
destination transport-method http

 

 

 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

ā€Ž02-21-2023 11:53 AM

@Leftz no i do not believe there is a cisco command.

The configuration certainly seems to confirm neither http/https is enabled and only TLS1.2 is configured, this mirrored my switch when I run the above tests to replicate your scenario.

You can run both openssl and nmap on windows if you don't have linux to run your own tests. Then get your vulnerability scanner to re-run the test again.

0 Helpful

Go to solution
Leftz
Level 4
Level 4

ā€Ž02-22-2023 07:12 AM - edited ā€Ž02-22-2023 07:13 AM

Run command show ip socket on this sw. but looks like it cannot show something useful. because I cannot find some difference between before and after closing 80 or 443 by command no ip http server or no ip http secure-server

 

ESW#show ip sockets
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 0.0.0.0 0 172.16.10.10 2228 0 0 211 0
17 10.1.9.43 55775 172.16.10.10 161 0 0 2001001 0
17 --listen-- 172.16.10.10 162 0 0 2001011 0
17 --listen-- 172.16.10.10 52585 0 0 2001011 0
17(v6) --listen-- --any-- 161 0 0 2020001 0
17(v6) --listen-- --any-- 162 0 0 2020011 0
17(v6) --listen-- --any-- 52448 0 0 2020001 0

0 Helpful

Go to solution
Leftz
Level 4
Level 4

ā€Ž02-23-2023 06:48 AM

@Rob Ingram you are right. One question: the vulnerability issue in this case is due to TLS lower version 1.0 and 1.1. If the lower version of TLS is still enabled, but http and https are disabled, does this vulnerability issue still exist theoretically ? 

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to Leftz

ā€Ž02-23-2023 08:04 AM

@Leftz if disabled, I'd say the device will not be exploitable

0 Helpful

Go to solution
Leftz
Level 4
Level 4

ā€Ž02-24-2023 12:45 PM

Thank you!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card