During establishing https session client and server negotiate security settings for authentication, encryption, MAC. These security suites also known as cipher suite fully listed in https://www.openssl.org/docs/manmaster/man1/ciphers.html. Some of them use 3DES. It is considered proven that 3DES ciphers are vulnerable to SWEET32 attack (https://sweet32.info). If you want to avoid negotiating 3DES cipher suites you can
1. Use client that does not negotiate 3DES
2. Disable 3DES cipher suites on server side
When admin connect to ArubaOS-Swtches GUI from browser the switch acts as a https-server. To disable 3DES cipher suite on ArubaOS-Swithes the following commands could be used:
tls application all lowest-version tls1.2 disable-cipher des3-cbc-sha
tls application all lowest-version tls1.2 disable-cipher ecdh-ecdsa-des-cbc3-sha
tls application all lowest-version tls1.2 disable-cipher ecdh-rsa-des-cbc3-sha
tls application all lowest-version tls1.2 disable-cipher ecdhe-ecdsa-des-cbc3-sha
tls application all lowest-version tls1.2 disable-cipher ecdhe-rsa-des-cbc3-sha
Below what can you get before applying commands:
##############
C:\Program Files (x86)\Nmap>nmap --script ssl-cert,ssl-enum-ciphers -p 443 172.16.0.253
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-09 15:28 Russia TZ 2 Standard Time
Nmap scan report for 172.16.0.253
Host is up (0.00s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=ARUBATEST/countryName=RU
| Issuer: commonName=ARUBATEST/countryName=RU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 1990-01-01T02:05:23
| Not valid after: 1991-01-01T23:59:59
| MD5: 4a9c 08c3 0cd3 e029 36e1 5493 0ea6 ac6b
|_SHA-1: d5fb 554e c3d6 8ec0 0a25 6d7f 8371 f326 df7d a49d
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
| compressors:
| NULL
| cipher preference: server
| warnings:
| 64-bit block cipher 3DES vulnerable to SWEET32 attack
|_ least strength: C
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
############
Note the warnings: "64-bit block cipher 3DES vulnerable to SWEET32 attack"
And a pair of 3DES cipher suites:
TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (secp256r1) - C
Here what can you get after commands are applied
############
C:\Program Files (x86)\Nmap>nmap --script ssl-cert,ssl-enum-ciphers -p 443 172.16.0.253
Starting Nmap 7.70 ( https://nmap.org ) at 2018-11-09 15:32 Russia TZ 2 Standard Time
Nmap scan report for 172.16.0.253
Host is up (0.00s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-cert: Subject: commonName=ARUBATEST/countryName=RU
| Issuer: commonName=ARUBATEST/countryName=RU
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 1990-01-01T02:05:23
| Not valid after: 1991-01-01T23:59:59
| MD5: 4a9c 08c3 0cd3 e029 36e1 5493 0ea6 ac6b
|_SHA-1: d5fb 554e c3d6 8ec0 0a25 6d7f 8371 f326 df7d a49d
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_RSA_WITH_AES_256_GCM_SHA384 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_GCM_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA256 (rsa 2048) - A
| TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
| TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (secp256r1) - A
| TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (secp256r1) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A
MAC Address: xx:xx:xx:xx:xx:xx (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 58.86 seconds
##############
Note the absence of warning and no 3DES