[c-nsp] ASR1000 IOS Version
Mack McBride
mack.mcbride at viawest.com
Thu Feb 19 11:11:38 EST 2015
Personally we don't use the web interface at all.
Frankly, SSL v3.0 is about the same security as http.
Learning to use the command line via ssh is not that hard.
Mack McBride | Network Architect | ViaWest, Inc.
O: 720.891.2502 | mack.mcbride at viawest.com | www.viawest.com | LinkedIn | Twitter | YouTube
-----Original Message-----
From: Lukas Tribus [mailto:luky-37 at hotmail.com]
Sent: Wednesday, February 18, 2015 5:47 PM
To: Gert Doering; Mack McBride
Cc: cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASR1000 IOS Version
> On Wed, Feb 18, 2015 at 09:15:51PM +0000, Mack McBride wrote:
> This is probably the correct action.
> Disable the insecure protocol and force people to use command line
> until they upgrade.
Disabling all crypto protocols in the code without providing alternatives and forcing people to do use HTTP instead of HTTPS doesn't seem neither correct nor secure to me. Its not like TLS support is in that branch, thats the point.
What they should have done is not wait until 15.4 to implement TLS. Now still, in very recent code there is only TLSv1.0 support, no TLSv1.1, no 1.2, missing all the recent cipher suites.
So how long till we have to deprecate TLSv1.0 for an urgent security matter and we will have the very same issue all over again?
TLSv1.0 was defined in the late 90's and OpenSSL introduced support for it shortly afterwards. So it took them 15 years to implement TLSv1.0, thats not particularly impressive (from standard definition to a M or S release).
*TLSv1.0 is already in deprecation phase in 2014* [1], so how long will it last? Probably not until Cisco merges TLSv1.1/2 support (at it makes its way into a usable release).
Clearly, there is no BU responsible for the SSL code, a part from PSIRT.
> (I could care less about https, nobody uses that anyway on IOS,
> right?)
I do, I use it to push the configs from the box (at every "write mem") to a central HTTPS server that tracks those configs in a git repository.
I understand thats a pretty specific use case, but I had hoped that VPNSSL would be a strong enough driver to not let the SSL stack rot in the code for decades.
> force people to use command line until they upgrade.
This is not about the configuring the router through HTTPS instead of SSH. Its about VPNSSL, its about the HTTPS filesystem and the features relying on the internal SSL stack for operation that are now completely broken, in a maintenance IOS branch without any notes or warning in the release notes.
But no, this was clearly not intended. They just cherry-picked this CVE-fix and applied it to the old branches without thinking (and without testing, of course).
-lukas
[1] http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r1.pdf
This message contains information that may be confidential, privileged or otherwise protected by law from disclosure. It is intended for the exclusive use of the addressee(s). Unless you are the addressee or authorized agent of the addressee, you may not review, copy, distribute or disclose to anyone the message or any information contained within. If you have received this message in error, please contact the sender by electronic reply and immediately delete all copies of the message.
More information about the cisco-nsp
mailing list