cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1772
Views
5
Helpful
5
Replies

ACE TLS1.0 Enforcement Behavior

jbartoldus
Level 1
Level 1

ACE 30 module running A4(2.3) code.  I want to turn off SSLv3 support, but seeing some different behavior when doing so.  Perhaps someone can explain the ACE behavior.

 

When ACE is set to all versions (SSLv3 and TLS1.0), if a TLS1.2 Client Hello is received, it is accepted and the ACE responds with a Server Hello with Version: TLS1.0 (0x0301) and the communications continues without issue.

 

When "version tls1" is configured in the same SSL parameter map, the same TLS1.2 Client Hello is received, but the ACE sends a SSL Fatal Alert packet back to the client due to Protocol Version with Version: SSL 3.0 (0x0300) as the version.  

 

I understand that the ACE doesn't support TLS1.1 and 1.2 in this version of code, but why does it accept the TLS1.2 Client Hello when version is all, but rejects it when version is set for tls1?

 

5 Replies 5

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi,

When all versions are used i.e SSLV3 and TLS1.0, when client hello is received ACE will chose the one it supports from the client's SSL VERSION LIST and reply. It should be highest version which both client and server support. But when you have TLS1.0 configured, then it will only look for that version and if it cannot find that in client hello, it will send a fatal alert. Did client have TLS1.0 option in client hello for which ace sent fatal alert? 

I will double check on the behavior but as per my understanding this is how it should be.

Do you have a pcap showing this behavior? 

 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

 

kanwalsi,

Your description makes sense, but I do not understand what the ACE is doing when the Client Hello is TLS1.2, a version it doesn't recognize (in this version of code).  When version is all, the ACE accepts the TLS1.2 Client Hello and responds with TLS1.0, but when the version is tls1, it sends the fatal error alert back.  That doesn't make sense unless the Client Hello MUST be TLS1.0 and nothing else in order for the ACE to recognize it.

 

Thanks!

As Kanwal mentioned in another thread which A531B will be released by the end of November, it will address Bash and Poodle vulnerabilities, so you are probably be better off to perform upgrade. I tried different available options (on A530) aiming for shun SSHv3 without success. Looking for upgrade. Leo

I see A531B has been released but there are no release notes to say what it has fixed

Dave

 

Hi Dave,

The SSLv3 version is not supported anymore by ACE and that was the recommended fix.

 

The following resolved caveats apply to software version A5(3.1b):

    CSCur02195—The ACE 4710 and ACE30 include a version of bash that is affected by the vulnerabilities identified by the Common Vulnerability and Exposures (CVE) IDs:

1. CVE-2014-6271

2. CVE-2014-6277

3. CVE-2014-6278

4. CVE-2014-7169

5. CVE-2014-7186

6. CVE-2014-7187

    CSCur23683—ACE30 : evaluation of SSLv3 POODLE vulnerability.

Note ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2. A performance degradation of 9% may be observed while using TLS1.0 compared to SSLv3.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Review Cisco Networking for a $25 gift card