Cisco Prime Infrastucture vulnerability SSL RC4 Cipher Suites Supported

Similar Messages

• Weak cipher suites supported on WCS port 8082

  Hi
  Port 8082 is used for health monitoring in WCS, a web service is running on this port so we can login via web and check the status.
  I would like to know, is there a way to limit the cipher suite supported on this port? For port 443, this can be done by modify the Apache configuration file, however this doesn't work for 8082. The version is 5.2.148.0.
  Thanks and Regars,
  Leo

  Hi ,
  "SSL RC4 Cipher Suites Supported" has been documented in bug CSCum03709. 
  CSCum03709    PI 2.0.0.0.294 with SSH vulnerabilities
  Presently, there is no workaround for this vulnerability, however, the fix will be implemented in
  Prime Infrastructure 2.2.which is planned to be released around the end of this year ( tentative)
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ***

• SSL Medium Strength Cipher Suites Supported vulnerability

  Kind of an odd thing.  We just had a vulnerability scan and a 2960 got pinged for supporting medium strength SSL cipher suites.  I say strange cause I have 3 others that have the same IOS image and they didn't get pinged.  Swap out the management IP address and they are all the same.  They are all running 12.2(52)SE C2960-LANBASEK9-M, with a 768 bit keys.  Here is the text of the vulnerability :
  Synopsis : The remote service supports the use of medium strength SSL ciphers. Description : The remote host supports the use of SSL ciphers that offer medium strength encryption, which we currently regard as those with key lengths at least 56 bits and less than 112 bits.
  Reconfigure the affected application if possible to avoid use of medium strength ciphers. / CVSS Base Score : 5.0 (CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N) Plugin output : Here are the medium strength SSL ciphers supported by the remote server : Medium Strength Ciphers (>= 56-bit and < 112-bit key) SSLv3 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 TLSv1 EDH-RSA-DES-CBC-SHA Kx=DH Au=RSA Enc=DES(56) Mac=SHA1 DES-CBC-SHA Kx=RSA Au=RSA Enc=DES(56) Mac=SHA1 The fields above are : {OpenSSL ciphername} Kx={key exchange} Au={authentication} Enc={symmetric encryption method} Mac={message authentication code} {export flag}
  Can someone point me in the right direction on how to re-configure the switch to pass this test?
  Thanks
  Poirot

  I believe the alert there is because you are using a 768 key which was broken recently (Jan 2010 a paper was published on it with results from efforts that took 4 years to break 768 keys). 768bit RSA keys is not considered secure enough any more.
  I would suggest you to configure keys of 1024 on these switches and try again.
  I hope it helps.
  PK

• Cisco Prime 2.0 SSL configuration

  Hi,
  I can create an SSL cert and send it to a CA for signing and then combine the resultant cert with the root and import to the WLC to make sure that https browsing of the WLC doesn't throw up an cert errors.
  Some might say this is cosmetic but I like it.
  Anyway we have installed Prime but the process seems different.
  I read through the cisco docs but cant seem to get my head around the process.
  Can any one guide me, Janet and John style?

  Which doc did you read? This one seems pretty straight forward
  http://www.cisco.com/c/en/us/td/docs/wireless/prime_infrastructure/1-2/configuration/guide/pi_12_cg/csr.html#wp1042823
  HTH,
  Steve

• CISCO PRIME INFRASTUCTURE 1.2_instalacion de Compliance y Assurance en un mismo Appliance.

  Gente,
  Alguno pudo instalar en el mismo Appicance los módulos de Prime Infrastructure 1.2 Compliance y Assurance??? Hay una guia de instalacion?
  Gracias,
  Marcelo.

  Spanish
  Aquí hay un enlace a la Guía de Instalación Primer Gerente de Aseguramiento
  http://www.cisco.com/en/US/products/ps12349/tsd_products_support_install_and_upgrade.html
  Google es todo lo que tienes que hacer ...
  English
  Here's a link to Prime Assurance Manager Installation Guide
  http://www.cisco.com/en/US/products/ps12349/tsd_products_support_install_and_upgrade.html
  Google it is all you've gotta do...

• Cisco Prime Infrastructure 2.1 ESXi 5.5 support?

  We are currently in a deployment of CPI 2.1 with a current ESXi 5.5 infrastructure.  I cannot find any related documentation on the compatibility of this support.  We also have ACS 5.5 to build on this as well.
  Has anyone had any success building either of these two virtual appliances on ESXi 5.5?

  Thanks guys,
  I have had a response from the BU.
  Here’s the quick and dirty (and not so good) – PI 2.2 is being tested with ESXi v5.5 and will officially be supported.  According to the BU, there are no plans to test or support any earlier release with ESXi v5.5.
  Also the current plan is to have ACS 5.6 be supported on ESXi v5.5.
  ESXi 5.5 won’t be supported until PI 2.2, due out in November 2014.  Until then, there are no workarounds.  Some customers have installed the latest release (v2.1) on ESXi 5.5, but they run the risk of not getting supported should they encounter any issues with their instance. 

• WSMAN CredSSP TLS 1.2 support and cipher suites

  Hi all,
  The protocol document [MS-CSSP] explains the first base64 encoded token send in the authenticate from the client to the server is a TLS Client Hello. The response is a ServerHello.
  The diagram in section 4 'Protocol Examples' of the document indicates the ServerHello has a cipher suite of TLS_RSA_WITH_RC_128_SHA. The TLS version and cipher suites are not mentioned anywhere else in the document.
  So lets take a look a network packet capture of a CredSSP authentication between a winrm.exe client and a Windows 2008 R2 server. I have base64 decoded the contents of the CredSSP Authorization headers,
  The ClientHello bytes (without the extensions) send by my client are:
  16 03 01 00 6B 01 00 00  67 03 01 54 DB 64 77 22 
  A2 1C A3 23 93 61 3B 00  1B DE 1C 6D 42 34 94 8D 
  1D 44 2C 64 8B 42 AC 41  B4 E2 DE 00 00 14 00 2F 
  00 35 00 0A C0 13 C0 14  C0 09 C0 0A 00 32 00 38 
  00 13 01 00 00 2A FF 01  00 01 00 00 00 00 11 00 
  0F 00 00 0C
  Decoding this we can see that this is TLS 1.0 {03, 01}, taking a look at the ciphers we have:
  TLS_RSA_WITH_AES_128_CBC_SHA 0x00 0x2F
  TLS_RSA_WITH_AES_256_CBC_SHA 0x00 0x35
  TLS_RSA_WITH_3DES_EDE_CBC_SHA 0x00,0x0A
  TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC0,0x13
  TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC0,0x14
  TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC0,0x09
  TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC0,0x0A
  TLS_DHE_DSS_WITH_AES_128_CBC_SHA 0x00,0x32
  TLS_DHE_DSS_WITH_AES_256_CBC_SHA 0x00,0x38
  TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA 0x00,0x13
  Now lets look at the ServerHello (without the extensions)
  16 03 01 02 3C 02 00 00  4D 03 01 54 DB 64 78 73 
  92 C6 86 A3 F8 FF 3D D4  36 77 C0 FC 80 61 3F 4D 
  8C BC 60 CD BC 4D B1 1C  4A CF 0A 20 DA 14 00 00 
  38 11 DB C9 1C D0 8C 76  E7 A0 B9 F7 A5 D4 94 DF 
  8B 83 38 B3 FF EB AA 65  EB 23 03 0A 00 2F 00 00 
  05 FF 01 00 01 00 0B 00  01 E3 00 01 E0 00 01 DD 
  30 82 01 D9 30 82 01 42  A0 03 02 01 02 02 10 44 
  56 23 69 44 ED 93 85 43  DF B8 DF E3 75 DC A7 30 
  0D 06 09 2A 86 48 86 F7  0D 01 01 05 05 00 30 2B 
  31 29 30 27 06 03 55 04  03 13 20 
  The server responds with TLS 1.0 and selected cipher (0x00 0x2F)
  TLS_RSA_WITH_AES_128_CBC_SHA
  Based on this I created a WSMan CredSSP client using Python and OpenSSL and configured it to use TLS 1.2. I found the Windows server always responded with TLS 1.0. So, I configured my OpenSSL client for TLS 1.0 and set the cipherlist to AES128-SHA (like winrs.exe).
  The CredSSP TLS handshake completes, but the first ASN.1 encoded TSRequest token (containing an NTLM negotiate token) is rejected. However, if my openssl cipherlist is set to RC4, the TSRequest token is accepted and authentication is successful.
  This raises several questions:
  1. Despite sending a TLS 1.2 ClientHello the WSMan CredSSP Server always responded with TLS 1.0 ServerHello. A number of security experts consider this version effectivly broken. Does CredSSP support TLS 1.2?
  2. I can authenticate with CredSSP using openssl 'RC4' cipher suites - but not with AES128-SHA suites. Are suites besides RC4 supported (winrs.exe appears to use AES).
  Thanks
  Ian

  Forum Update:
  I can now answer my 2nd question. The reason CredSSP is rejecting my TSRequest token when using AES128-SHA is because this ciphersuite is using CBC.
  Some years ago OpenSSL added empty fragments to SSLv3 and TLS 1.0 packets to address a potential security vulnerability. These empty fragments are not compatible with Microsofts SChannel implementation so Windows is unable to decrypt the data. OpenSSL added
  a compatibility flag SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS (0x00000800L) that must be set in the openssl client's context options to address this issue with Microsofts implementation. Once I set this option my python openssl client successfully authenticated
  with a Windows 2012 R2 server using ECDHE-RSA-AES256-SHA - much better.
  Question 1 is still unanswered. Is TLS 1.2 with CredSSP supported?

• Supported Cipher  suites.

  Hi All,
  I am successfully communicating with the server using HTTPS with HttpsConnection from my J2ME Midlet. I am using APACHE as HTTP Server. However, the best cipher suite negutiated between the device and the server used by HTTPS was DES-CBC3-SHA. As you can see, it uses DES, which is not quite as secure as AES.However despite a lot of effort, i am just not able to get it to use an AES cipher suite. Is AES part of any supported cipher suite by MIDP? If not, can anyone tell me how i can enumeration the cipher suites supported on the MIDLet?
  Thanks in advance
  Edited by: AUTOMATON on Sep 14, 2007 3:38 AM

  @superena,
  Thanks for the links, but they actually dont give me the info I need. What I want to do is to find out how many SSL cipher suites are supported by J2ME. I mean if there is a list somewhere, of if i can write a program that can enumerate them for me..

• Upgrade Cisco Prime Infrastructure 2.1.1 to 2.2

  Hi,
  I would like to know how to
  1. Upgrade Cisco Prime Infrastucture 2.1.1 to 2.2 procedure
  2. How to backup existing config and data
  Thanks in advance
  - nazir

  Hi Nazir,
  Refer the below link  for the upgrade from the exiting version ::
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-2/quickstart/guide/cpi_qsg.html#pgfId-113783
  Follow the same steps :
  Step :Backup  on 2.1  
  Step 2: Restore  2.2
  Backup and Restore::
  Backup command::
  PIServer/admin# backup MyBackupFileName repository MyRepo application NCS
  Check the below link for
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/administrator/guide/PIAdminBook/backup_restore.html#pgfId-1080733
  Step ::
  Once Backup is completed , you need to Restore the backup to the Newly Buid PI 2.2 server::
  Restore command:
  PIServer/admin# restore filename repository repositoryName application NCS
  Check the below link:
  http://www.cisco.com/c/en/us/td/docs/net_mgmt/prime/infrastructure/2-1/administrator/guide/PIAdminBook/backup_restore.html#99810
  Thanks-
  Afroz
  ***Ratings Encourages Contributors ****

• Cisco Prime Infra 2.2 + Third Party Inventory and configuration backup

  Hi All,
   I am having a doubt related to Cisco prime solution capability to do a discovery and config backup for non-cisco devices. 
  Requirement is to use Cisco prime to do a discovery, inventory and take configuration backup for non-cisco devices. Is it something possible out of the box ?
  If not possible out of the box, is there any method to do that using any custom API ?
  Can we monitor 3rd party( Non-cisco) devices using Cisco Prime 2.2 ?
  Skr

  Hi,
  Below is supported-device list, check if your device is listed there.
  http://www.cisco.com/c/en/us/support/cloud-systems-management/prime-infrastructure/products-device-support-tables-list.html
  - Ashok
  Please rate the post or mark as correct answer as it will help others looking for similar information

• How can I control the list of cipher suites offered in the SSL Client Hello message? I want to forbid MD5 and RC4.

  How can I control the list of cipher suites offered in the SSL Client Hello message?
  I want to limit my browser to negotiating strong cipher suites. I'd like to forbid DES, MD5 and RC4.

  Set the related SSL3 prefs to false on the about:config page (Filter: security.ssl3.).
  *http://kb.mozillazine.org/about:config

• Setting cipher suites for ssl sockets

  Hi
  While setting cipher suites for ssl serversocket and socket, there may be lot of stream ciphers and block ciphers in the list. (also there may or may not be anonymous cipher suites).
  How does the ssl socket decide which cipher suite to use?
  Sorry for this newbie question.
  Thank you.

  Have you read the JSSE Reference Guide? It has a really good description of how the SSL handshake works. Part of the "Client Hello" step includes sending all the cipher-suites the client has enabled. The server picks the "best" of that set, that the server also supports, and sends it back as part of the "Server Hello". Both sides switch to that set.
  Now, what "best" means isn't defined. I'm not sure what criteria the server uses to determine that. Maybe someone else reading the thread can chime in.
  Grant

• How to locate and configure SSL cipher suites

  hi all,
  i wanted to knw how Ciphersuites that are used in SSL Connections are picked up by the JVM or whoever is responsible for establishing the connection at lower level. I mean there are methods in SSLSocketFactory, HttpsURLConnection named getEnabledCipherSuites(). I was just wondering where these default cipher suites are picked up. Is there any configuration file or some setting where we can add our own cipher suite to the list?
  Please advice.
  Thanks in advance :)
  Arun

  hi,
  As already we have discussed this, we can set the ciphersuite used in the SSLConnection using SSLSocket.setEnabledCIpherSuite() function only. And getSupportedCipherSuites() function returns the list of cipher suites that are supported by the connection.
  But i want to set ciphersuite in SSLConnection using HttpsURLConnection. Under this class (HttpsURLConnection) there is no such method where u can specify the ciphersuite.
  So i am trying to find out when an SSL connection is setup from where does the JVM loads the cipher suites? I checked the All the basic classes in javax.net.ssl package and all contain the methods as abstract. So if anybody has any idea regarding where these supported cipher suites are located in jdk please let me knw.
  Thanks in advance :)
  Arun

• Install wildcard SSL on Cisco Prime Infrastructure 1.4

  I'm trying to install a wildcard SSL on a Cisco Prime Infrastrucure 1.4.
  I've manage to install this certificate on the Cisco 5508 WLC, however not so much success with the Cisco Prime.
  There are alot of documentation regarding the installtion of CSR certificates however I could not find anything related to wildcard or public key certificates from Cisco.
  I did find the following from a NetBoyers, I've tried this process however this seems to apply for NCS versions prior to 1.4 as it was unsuccessful
  Any assistance would be creatly appreciated.

  I was able to follow the procedure in the Admin Guide to successfully import and use a CA-issued wildcard certificate (from GoDaddy) with unencrypted private key where the original CSR was not generated by the Prime Infrastructure server.
  Prime needs to be defined with a record in your DNS serving the domain in the wildcard certificate. In my case I am using both an A record and cname alias.
  Following a server restart the wildcard certificate appears fine in Chrome, Firefox and IE when I browse to https://prime.<my_customer's_domain>.
  Below are the commands I used. You would need to have your own certificate and keyfile. My certificate includes the full chain - server certificate, intermediate certificate and root certificate in that order.
  PI01/admin# copy ftp://192.168.254.7/privatekeyplaintext.pem disk:
  Username: admin
  Password:
  PI01/admin# copy ftp://192.168.254.7/gd_bundle-g2-g1.crt disk:
  Username: admin
  Password:
  PI01/admin#
  PI01/admin# root
  Enter root password : 
  Starting root bash shell ... 
  ade # pwd
  /root
  ade #
  ade # cd ..
  ade #
  ade # cd localdisk
  ade # ls -al
  total 68
  drwxr-xr-x 8 root root 4096 Nov 2 09:51 .
  drwxr-xr-x 28 root root 4096 Oct 28 11:22 ..
  lrwxrwxrwx 1 root root 20 Jul 14 13:11 crash -> /opt/CSCOlumos/crash
  drwxr-xr-x 2 root root 4096 Jul 15 23:31 defaultRepo
  drwxr-xr-x 2 root root 4096 Jul 14 13:10 ftp
  -rw-rw-rw- 1 root gadmin 6710 Nov 2 09:51 gd_bundle-g2-g1.crt
  drwx------ 2 root root 16384 Apr 17 2014 lost+found
  -rw-rw-rw- 1 root gadmin 1679 Nov 2 09:50 privatekeyplaintext.pem
  drwxr-xr-x 2 root root 4096 Jul 14 13:10 ssh
  drwxr-xr-x 2 root root 4096 Jul 14 13:10 telnet
  drwxr-xr-x 2 root root 12288 Nov 2 09:57 tftp
  ade #
  ade # mv ./gd_bundle-g2-g1.crt ./defaultRepo
  ade # mv ./privatekeyplaintext.pem ./defaultRepo
  ade #
  ade # exit
  exit
  PI01/admin# show repository defaultRepo
  PI01-140715-0330.tar.gpg
  PI01-140716-0330.tar.gpg
  gd_bundle-g2-g1.crt
  privatekeyplaintext.pem
  PI01/admin#
  PI01/admin# ncs key importcacert wildcardcert gd_bundle-g2-g1.crt repository defaultRepo
  INFO: no staging url defined, using local space. rval:2
  truststore used is /opt/CSCOlumos/conf/truststore
  The NCS server is running
  Changes will take affect on the next server restart
  Importing certificate to trust store
  PI01/admin#
  PI01/admin# ncs key importkey privatekeyplaintext.pem gd_bundle-g2-g1.crt repository defaultRepo
  INFO: no staging url defined, using local space. rval:2
  INFO: no staging url defined, using local space. rval:2
  truststore used is /opt/CSCOlumos/conf/truststore
  The NCS server is running
  Changes will take affect on the next server restart
  Importing RSA key and matching certificate
  PI01/admin#
  PI01/admin# ncs stop
  Stopping Network Control System...
  This may take a few minutes...
  Network Control System successfully shutdown.
  Plug and Play Gateway is being shut down..... Please wait!!!
  Stop of Plug and Play Gateway Completed!!
  SAM daemon process id does not exist
  DA daemon process id does not exist
  DA syslog daemon process id does not exist
  PI01/admin# ncs start
  Starting Network Control System...
  This may take a few minutes...
  Network Control System started successfully.
  PI01/admin#

• How to add a Cipher Suite using RSA 1024 algorithm to the 'SSL Cipher Suite Order' GPO

  Following a VA test the Default Domain GPO has been set to enable the SSL Cipher Suite Order.  Following the change Symantec Endpoint Protection Manager doesn't work properly as the the Home, Monitors and Reports pages are blank and an Schannel error is
  logged in the SEPM server's event log.
  I have spoken to Symantec and I have been told that we need to allow the RSA 1024 bit algorithm but they can't tell me which cipher suite this would be.  I have looked in the GPO setting and can't see an RSA 1024 suite but have found some in this article:
  http://tools.ietf.org/html/draft-ietf-tls-56-bit-ciphersuites-01
  I want to know how to add an additional cipher suite into the setting safely.  Am I able to just add the suite into the GPO setting (eg TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA) or do I need to do anything else beforehand?
  If anyone has any advice regarding this or cipher suite orders and troubleshooting SSL problems it would be much appreciated,
  Thanks
  Chris

  Hi Chris,
  Based on my research, RSA_EXPORT1024_DES_CBC_SHA is a previous cipher suite, which is supported, you can enable it use
  SSL Cipher Suite Order policy setting under Administrative Templates\Network\SSL Configuration Settings.
  More information for you:
  TLS/SSL Cryptographic Enhancements
  http://technet.microsoft.com/en-us/library/cc766285(v=WS.10).aspx
  Best Regards,
  Amy