ssh weak cipher and TLS1.0 ,TLS1.1

umar7 · ‎2022-12-15

HI team,

The management server is still responding on weak ciphers and depreciated TLS ver 1 & 1.1

Plugin	Plugin Name	Family	Severity	Protocol	Port	Exploit?	Repository	Plugin Output	Synopsis
157288	TLS Version 1.1 Protocol Deprecated	Service detection	Medium	TCP	443	No	Individual Scan	Plugin Output: TLSv1.1 is enabled and the server supports at least one cipher.	The remote service encrypts traffic using an older version of TLS.
153953	SSH Weak Key Exchange Algorithms Enabled	Misc.	Low	TCP	22	No	Individual Scan	Plugin Output: The following weak key exchange algorithms are enabled : diffie-hellman-group1-sha1	The remote SSH server is configured to allow weak key exchange algorithms.
104743	TLS Version 1.0 Protocol Detection	Service detection	Medium	TCP	443	No	Individual Scan	Plugin Output: TLSv1 is enabled and the server supports at least one cipher.	The remote service encrypts traffic using an older version of TLS.

As suggested, we updated the ssl.conf file content as mentioned in the SK article sk147272:

Sshd config file content changed as per sk106031

can i get how can remediate this ?

the modification done by SMS and SG also and still its shows like this.

may i know am i did any wrong ?what is the next plan of action

Chris_Atkinson · ‎2022-12-15

Which version/JHF of Management is used here?

Where the processes restarted after per the instructions?

umar7 · ‎2022-12-15

gaia os R80.40 take 125

Chris_Atkinson · ‎2022-12-15

Just to confirm this is a distributed deployment with separate SG / SMS...

How is the following currently set?

(Ignore if management)

umar7 · ‎2022-12-16

hello chris

yes, we have set this value as TLS 1.2 and did install database

Chris_Atkinson · ‎2022-12-16

Can you please share the output of:

"show configuration ssl tls"

umar7 · ‎2022-12-18

Chris_Atkinson · ‎2022-12-18

That looks like a Gateway, not the Management - which has the issue?

umar7 · ‎2022-12-18

hello chris ,

this is management i just chenged the hostname .

the_rock · ‎2022-12-19

I think thats default output...I tested in R80.40, R81.10 and R81.20, same thing.

_Val_ · ‎2022-12-19

Silly question, but did you actually reboot the device after all changes?

umar7 · ‎2022-12-19

no that is in production network. we have to gone thru lot of permission to reboot the device . but we have tried to restart the ssh and httpd2 service after modifications done on the sms . is there any possible way to resolve the vulnerability

Chris_Atkinson · ‎2022-12-19

The SK provides the instructions, if those aren't working when followed fully (including reboot) please contact/consult TAC.

umar7 · ‎2022-12-19

thank you for your reply

_Val_ · ‎2022-12-20

Rebooting the management server does not affect production operations, other than a very short availability of the management server itself. I am pretty sure, if you open a TAC request, they will ask for that anyway.

umar7 · ‎2022-12-20

hello val,

thanks for the update.i have created the case with TAC already.

i will try to do the reboot device .

the_rock · ‎2022-12-20

Dont bother rebooting, its never needed for this. All you do is enable/disable the cipher you want, save config, thats it.

ssh weak cipher and TLS1.0 ,TLS1.1

The CPInfo Utility

DA / CPUSE bug?

Time to talk about the SmartConsole application

Smart-1 High-Availability Clarifications

Executing CPM doctor script

Are you a member of CheckMates?

ssh weak cipher and TLS1.0 ,TLS1.1

The CPInfo Utility

DA / CPUSE bug?

Time to talk about the SmartConsole application

Smart-1 High-Availability Clarifications

Executing CPM doctor script