0

When configuring a AT-9924T switch running AlliedWare 2.9.2 to serve ssl encryption on the http server as described in the manual like this:

create enco key=0 type=rsa length=2048 set system distinguishedname="cn=switch1,o=my_company,c=us" create pki certificate=cer_name keypair=0 serialnumber=12345 subject="cn=172.30.1.105,o=my_company, c=us" add pki certificate=cer_name location=cer_name.cer trust=yes set http server security=on sslkey=0 port=443

It only allows two low-security ciphers which are not supported by any modern browsers (firefox,chrome,ie) anymore. The only browser I found which still does support them is IE6, which is not really an option.

 Supported Server Cipher(s): Accepted SSLv3 56 bits DES-CBC-SHA Accepted SSLv3 40 bits EXP-DES-CBC-SHA

How can I configure the http server so it allows better ciphers which are supported by modern browsers?

Improve this question

1 Answer 1

Reset to default
1

The manual you linked to says, in part:

A 3DES feature licence is required to use 3DES encryption.

So you can pay for this and get 168-bit 3DES. That's probably about all you can do, but it really only would buy you a little time.

With a switch of this age, there probably isn't much else you can do. Keep in mind, also, that there have been many attacks on SSL/TLS in the past few years, and this switch apparently can't be brought up to date for any of them.

If it were me, I'd leave the web interface turned off, and put the switch on my list of things to be replaced.

Improve this answer
4
  • Thanks for your answer. The same problem applies to SSH access as well, so just turning the web interface off doesn't really solve the problem. (Even though it probably is easier to make a ssh client to use such a old cipher then it is with a browser..) I was just wondering if there was a way without having to pay $$ again, as the switch still regularely receives updates (last on 10-Jul-2013). Maybe someone has a clue :-) Commented Aug 10, 2013 at 12:37
  • Funny, they didn't show me any updates. Must be something with their web site. Anyway, I think you're making the argument for replacing the switch for me. :) Commented Aug 10, 2013 at 13:05
  • You need to have an account for the "restricted downloads" section to download these updates. As we are pretty happy with these switches and there is no budget for new ones atm, they probably won't get replaced anytime soon. If I could, I would definitely buy some shiny new ones ;-) Commented Aug 10, 2013 at 16:29
  • Well, since you seem to have some level of vendor support, you really should be yelling at them very loudly. Commented Aug 10, 2013 at 16:40

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.