topic Re: Cisco 5510 ssl and ssh in Network Security

Cisco 5510 ssl and ssh

lawsuites — Mon, 11 Mar 2019 19:19:34 GMT

Hello everyone, We have user that use credit card vedor services and they are charging us more because according to them we have ssl 2.0 and ssh 1 version and they are security vunerbilities. They say if we upgrade to ssl 3.0 or ssh 2.0 then it would be fine. How do i check which verison i have and how can i change or disable them. Will this effect any of our network(like exhcange owa, etc). Thanks

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 19:18:59 GMT

Hi,

To check the SSH version do ''sh run ssh''

To change it ''ssh version [1 | 2]''

For SSL:

ssl server-version ?

ssl client-version ?

To check the current accepted version ''sh cry ssl''

Hope it helps.

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 19:31:39 GMT

Thanks,

I didd "sh run ssh" and it shows

ASA# sh run ssh
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

also doesn't let run ''ssh version [1 | 2]''

Samething for ssl " 'sh cry ssl'' -- it say invalid entry.

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 19:33:25 GMT

Which OS version are you running?

sh version

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 19:34:59 GMT

ASA Version 8.0(3)

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 19:37:02 GMT

You require to be in configuration mode:

ASA(config)#

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 19:40:35 GMT

i did that in config mode.

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 19:43:49 GMT

I mentioned that because from your post it shows you're in privilege mode and not in configuration mode.

If you're in configuration mode, what do you get with this:

ASA(config)# ssh ?

ASA(config)# ssl ?

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 19:52:23 GMT

ASA(config)# sh ssh
Timeout: 60 minutes
Versions allowed: 1 and 2
0.0.0.0 0.0.0.0 outside
0.0.0.0 0.0.0.0 inside
ASA(config)# sh cry ssl
^
ERROR: % Invalid input detected at '^' marker.
ASA(config)#

For ssh it says both version allowed. How can be disable version 1.

For ssl it's say invalid

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 19:55:31 GMT

Sorry forget to include the following info that your requested.

ASA(config)# ssh?

configure mode commands/options:
ssh

exec mode commands/options:
ssh
ASA(config)# ssl?

configure mode commands/options:
ssl

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 19:56:12 GMT

ASA(config)# ssh version 2

ASA(config)# sh ssh

Timeout: 30 minutes
Version allowed: 2
0.0.0.0 0.0.0.0 outside

ASA(config)# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

ASA(config)# ssl server-version ?
any         Enter this keyword to accept SSLv2 ClientHellos and either SSLv3
              or TLSv1 will be negotiated
sslv3       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              SSLv3
sslv3-only Enter this keyword to accept ClientHellos only from a client
              using SSLV3
tlsv1       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              TLSv3
tlsv1-only Enter this keyword to accept ClientHellos only from a client
              using TLSV1

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 20:03:19 GMT

ASA(config)# ssh version 2
ASA(config)# sh ssh
Timeout: 60 minutes
Version allowed: 2
0.0.0.0 0.0.0.0 outside
0.0.0.0 0.0.0.0 inside

that changed to verizon 2 only but timeout stayed 60 minutes.

ssl:

ASA(config)# sh ssl
^
ERROR: % Invalid input detected at '^' marker.
ASA(config)# ssl server-version ?

configure mode commands/options:
any         Enter this keyword to accept SSLv2 ClientHellos and either SSLv3
              or TLSv1 will be negotiated
sslv3       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              SSLv3
sslv3-only Enter this keyword to accept ClientHellos only from a client
              using SSLV3
tlsv1       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              TLSv3
tlsv1-only Enter this keyword to accept ClientHellos only from a client
              using TLSV1
ASA(config)#

What should i do here. According to the vendor ssl 2.0 should be off, but i can't check the status. Pls help.

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 20:05:43 GMT

To negotiate only SSlv3

ssl server-version sslv3-only

If you want to change the timeout (whole different story) for SSH:

ssh timeout ?

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 20:09:59 GMT

60 minutes is fine.

If i do the following: ssl server-version sslv3-only ....will this give me any issue..for example we have OWA for exchange ...also for any reason if there is issue how should go back to my old settings...agian Federico thanks for this.

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 20:15:33 GMT

Well you might run into issues if you have any application running on any other SSL version.

By adding the command sslv3-only, the ASA will only support SSLv3.

Before doing this, make sure it will not affect any application.

To do a rollback is not much of a problem...

Just copy/paste the output from:

sh run ssh

sh run ssl

Back to the ASA.

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 20:22:54 GMT

Without making any changes with our current configs:

When i do "sh run ssl" it comes out empty.

ASA(config)# sh run ssl
ASA(config)#

What can be the reason of this. How does vendor test our IP address and says that we are allowing ssl 2?

Only thing i am concern about is that we have VPN connection to remote location that also connect with asa5510 and Outlook we app(that check the certifcate and it says Version 3)

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 20:24:28 GMT

Also can be just take out ssl2 and keep others like sslv3 and tlsv1.

Re: Cisco 5510 ssl and ssh

Federico Coto Fajardo — Tue, 07 Dec 2010 21:01:30 GMT

The reason
sh run ssl
does not show anything is because you have the default values.
To check what those settins are use
sh run all ssl

Federico.

Re: Cisco 5510 ssl and ssh

lawsuites — Tue, 07 Dec 2010 21:21:14 GMT

thanks: i got the following:

ASA(config)# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption afsd-sha1 .........(long key)
ASA(config)#

If i change to this :

ssl server-version sslv3-only

will something go wrong with ssl encryption..or anything ..and if i need to go back to any ..should i use following command:

ssl server-version any (let me know if this is wrong)

thanks again for your time.

Re: Cisco 5510 ssl and ssh

Kureli Sankar — Wed, 08 Dec 2010 03:00:37 GMT

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511377

sslv3-only

The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3.

Refer the above link and it has the command syntax.

ssl server-version any is correct syntax.

-KS