Hi There,

I tried that as well though and it doesn't work unfortunately.  If you issue "Upto_TLS1.2" and then "no version SSL3", it removes any previous version configured altogether, i.e. it removes Upto_TLS1.2.

Any other ideas from CIsco personnel that see these posts??  It would appear then that I can't just specify TLS1.0 +.

thanks

Sheldon

Thanks - i'll keep an eye on this.  I actually logged a TAC case as well and learnt of the same.

Cheers

Sheldon

Just to finish this thread off, Cisco released A5(3.1b) in late November 2014. This version disabled SSL3.0 so therefore when you use the command "Upto_TLS1.2" you enable TLS 1.0, TLS 1.1 & TLS 1, that's all. Then just sort out a good set of ciphers and you're done.

An example of the config to use in your parameter map is below. This will have reasonable backward compatibility while adding support for TLS 1.1 & TLS 1.2.

Hi Tim,

We are also facing the same issue. We have upgraded to A5(3.1b). We have configured the following on the Cisco ACE.

Please find attached the configs and # sh stats crypto client ouput done on the ACE.

Hi Nithin,

Your stats looks OK to me. Looks like it is all good. Why do you think you are still using SSL3?

Also, did you specifically not want to use the TLS 1.1 and TLS 1.2?

Is there any reason you want to keep the MD5 cipher?

Cipher tlsv1_rsa_rc4_128_md5:                    20
Cipher tlsv1_rsa_rc4_128_sha:                     0
Cipher tlsv1_rsa_des_cbc_sha:                   714
Cipher tlsv1_rsa_3des_ede_cbc_sha:           410321

SSLv3 negotiated protocol:                        0
TLSv1 negotiated protocol:                   411055
SSLv3 full handshakes:                            0
SSLv3 resumed handshakes:                         0
SSLv3 rehandshakes:                               0
SSLv3 secured rehandshakes:                       0
TLSv1 full handshakes:                       411053
TLSv1 resumed handshakes:                         0
TLSv1 rehandshakes:                               0
TLSv1 secured rehandshakes:                       0
SSLv3 handshake failures:                         0
SSLv3 failures during data phase:                 0
TLSv1 handshake failures:                         2
TLSv1 failures during data phase:                 0

Hi Tim,

Thanks a lot for your reply.

In the parameter-map, we have given #no version ssl3 and given version TLS1. 

In #sh stats crypto client, we are able to see the SSL authentication cache hits.

+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications:                 0
Failed SSL client authentications:                0
SSL authentication cache hits:               415342
SSL static CRL lookups:                           0
SSL best effort CRL lookups:                      0
SSL CRL lookup cache hits:                        0
SSL static OCSP lookups:                          0
SSL best effort OCSP lookups:                     0
SSL OCSP lookup cache hits:                       0
SSL revoked certificates:                         0
Total SSL server authentications:            415412
Failed SSL server authentications:                0

When checked on the browser, SSLv3 is still shown. How to disable this completely and enable only TLSv1.

Request your valuable inputs on this.

Regards,
Nithin.

Hi Tim,

Regarding the TLS1.1 and TLS1.2, there's no specific reason for that. We had just enabled only TLSv1.

Regarding the cipher, we had enabled only "RSA_WITH_3DES_EDE_CBC_SHA" in the parameter-map.

Regards,
Nithin.

Hi Nithin, personally I would recommend enabling TLS 1.1 & TLS 1.2 using the "version Upto_TLS1_2" option. The reason being that some people are disabling TLSv1.0 in their browsers (not me). Add a few extra AES ciphers too if you can, I found the AES ciphers performed better in our environment. I just kept the 3DES cipher for compatibility with older browsers.

Kind regards,

Tim