topic Re: TLS Version 1.1 Protocol Deprecated in Network Security

TLS Version 1.1 Protocol Deprecated

taro75 — Thu, 08 Jun 2023 08:04:59 GMT

I am using Cisco Firepower 2110 with firmware 7.0.5-72 and the SSL 1.1 is in use.

How can I disable SSL 1.1 ?

Description
The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

Re: TLS Version 1.1 Protocol Deprecated

Rob Ingram — Thu, 08 Jun 2023 08:24:15 GMT

@taro75 how are you managing the Firepower 2110, FDM or FMC? FDM is useless in regard to tweaking useful settings. You can define the TLS versions and encryption ciphers to use for remote access VPN connections in FDM. Previously, you needed to use the Firepower Threat Defense API to configure SSL settings.

Added in 7.0 - Objects > SSL Ciphers; Device > System Settings > SSL Settings.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

Just unselect the protocols you no longer require.

Re: TLS Version 1.1 Protocol Deprecated

MHM Cisco World — Thu, 08 Jun 2023 08:18:47 GMT

how you mgmt FMC or FDM ?

Re: TLS Version 1.1 Protocol Deprecated

taro75 — Thu, 08 Jun 2023 08:23:06 GMT

I am using FDM and I can see the following SSL ciphers. I cannot edit the default SSL Cipher. I need to remove SSL 1.0 & 1.1

CiscoRecommendedCipher TLSv1.2 High
DefaultSSLCipher TLSv1.1, DTLSv1.0, DTLSv1.2, TLSv1.0, TLSv1.2 Medium

Re: TLS Version 1.1 Protocol Deprecated

Rob Ingram — Thu, 08 Jun 2023 08:25:09 GMT

You can create a custom cipher list (as per the example above) and use that.

Re: TLS Version 1.1 Protocol Deprecated

MHM Cisco World — Thu, 08 Jun 2023 15:58:58 GMT

Check below

Re: TLS Version 1.1 Protocol Deprecated

taro75 — Thu, 08 Jun 2023 11:01:19 GMT

I have defined SSL Cipher -> Selected DTLSv1.2, TLSv1.2 & selected it under SSL settings. Performed a VA scan from nessus still the vulnerability of TLS 1.1 is shown. Please advise.

> show running-config all ssl
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2

Re: TLS Version 1.1 Protocol Deprecated

MHM Cisco World — Thu, 08 Jun 2023 15:59:46 GMT

Check below

Re: TLS Version 1.1 Protocol Deprecated

taro75 — Thu, 08 Jun 2023 11:14:01 GMT

I am using FDM not FMC. I cannot edit the default, so defined as shown below and selected the same under SSL Settings. Still there is no luck 1.1 is still enabled

Re: TLS Version 1.1 Protocol Deprecated

MHM Cisco World — Thu, 08 Jun 2023 16:00:15 GMT

Check below

Re: TLS Version 1.1 Protocol Deprecated

Marvin Rhoads — Thu, 08 Jun 2023 16:03:12 GMT

Are you scanning the management IP or an interface with SSL VPN setup? As noted in @Rob Ingram 's post, the SSL settings only apply to SSL VPN.

Changing the SSL settings for the management interface is not supported by Cisco. It can be done with a "hack" from the expert mode cli, but it's not anything Cisco endorses.

See this post and the linked post in it: https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/m-p/4843044#M289359

Re: TLS Version 1.1 Protocol Deprecated

MHM Cisco World — Thu, 08 Jun 2023 15:58:23 GMT

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs23509

This bug and ver. 7.0 fixed it.