Sweet32 Mitigation
(2020-01-20)
Prior to 9.3(2):
Cisco Bug Search
Problem
CVE-2016-2183 (Sweet32)on ASA.Solution
For 9.3(2) and higher:# conf t (config)# ssl cipher tlsv1 fips (config)# ssl cipher tlsv1.1 fips (config)# ssl cipher tlsv1.2 fips (config)# exit
# conf t (config)# ssl encryption aes128-sha1 aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1 (config)# exit
Source
Cisco Bug Search
Commentary
Amusingly, this leaves some of the the even less-well-protected DES ciphers enabled.
no comments |
post comment
| snipsnap-index | Cisco | dave | 2021 |
| Cisco |
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
nmap- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- Scan For Newly Added Disk
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- DH Selection For IPsec VPNs
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
- 1991
- Custom '77 Dodge Van
- Bone Shaker
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.