topic Coupe of ideas: in Network Security

Using ASDM with 'ssl server-version tlsv1-only'

Scott Pickles — Tue, 12 Mar 2019 07:03:56 GMT

If I configure my ASA with the following ASDM does NOT work:

ssl server-version tlsv1-only
ssl client-version tlsv1-only

But if I configure my ASA with the following ASDM DOES work:

ssl server-version tlsv1
ssl client-version tlsv1-only

My understanding has been that in order to protect myself from POODLE it should be tlsv1-only. And before anyone asks, I have upgraded my production ASA. This is for a lab configuration to support end users that may not be able to upgrade. I don't understand why v1-only doesn't work when configured for the server since my version of Java is configured to support TLSv1.0, 1.1 and 1.2. Debugging SSL produces:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430

I think all the 9.x trains of

Philip D'Ath — Tue, 22 Dec 2015 00:42:17 GMT

I think all the 9.x trains of ASA have SSL disabled by default. They also add TLS1.2 support. You would be better off upgrading your firewall to resolve known serious security issues like this. After all, it is a firewall.

As I stated in my original

Scott Pickles — Tue, 22 Dec 2015 20:00:33 GMT

As I stated in my original post: "This is for a lab configuration to support end users that may not be able to upgrade." I'm trying learn WHY it doesn't work in that configuration, not just go "oh well an upgrade will fix it". Even with the upgrade, I should be able to configure 'tlsv1-only' on both the server and client side since my version of Java supports TLS v1.0, v1.1 and v1.2.

Coupe of ideas:

Marvin Rhoads — Tue, 22 Dec 2015 21:39:28 GMT

Coupe of ideas:

Doublecheck that you have the 3DES-AES license on the ASA

You may need to configure the ssl ciphers explicitly on the ASA.

You may need to add the Java Cryptography Extension (JCE) strong crypto support on your Java. (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)

If that doesn't help, I usually find the Wireshark packet decode of the failed communications more illustrative to determine where it's failing.

Marvin -

Scott Pickles — Wed, 23 Dec 2015 14:40:30 GMT

Marvin -

Going to look at the JCE option. The other things you mention are already configured:

ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1
Encryption-3DES-AES               : Enabled        perpetual

*EDIT*: The JCE option makes no difference. Still unable to use ASDM when specifying 'ssl server-version tlsv1-only'.

Hi Scott,

Shivapramod M — Thu, 24 Dec 2015 02:29:46 GMT

Hi Scott,

As Marvin mentioned try to take the capture using wire-shark when you connect via ASDM.

Thanks,

Shivapramod M