10-16-2014 04:52 AM
Hi Guys,
We have a requirement to disable SSLv3 support and enable TLS1.0, 1.1 and 1.2 within our environment. Since having upgraded to A5(3.1a) we have available to us the ability to use TLS1.0, 1.1 and 1.2 according to the release notes, however in practice i've found that there is no ability to have only TLS1.0, 1.1 and 1.2, (not SSLv3) applied to a given VIP (via the ssl-proxy commands). From testing i've found that if I want to be specific about the versions of TLS, only one can be applied at a time: E.g.
parameter-map type ssl SSL-TLS1.0
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA priority 3
cipher RSA_WITH_AES_256_CBC_SHA priority 2
version TLS1
ssl-proxy service SSL-NISTEST
key NISTEST-KEY.pem
cert NISTEST-CRT-RENEWED.pem
chaingroup SSL-AUSCERTS-SERVER-CHAIN
ssl advanced-options SSL-TLS1.0
I cannot apply TLS1.0, 1.1 and 1.2, to therefore support all browsers etc. I tried using "Up to TLS1.2" from the versions that were available, however this still includes SSLv3 which we do not want. Can Cisco confirm that my observations are correct and that I cannot add all 3 versions of TLS?
thanks
Sheldon
Solved! Go to Solution.
10-23-2014 12:58 AM
Hello Kanwal,
just in case: in CSCur33237, will you also implement the possibility to configure multiple TLS versions but not all of them in a parameter map? For example someting like this:
parameter-map type ssl SSL-Config
version TLS1_1
version TLS1_2
cipher ...
to only enable TLS 1.1 and 1.2, but NOT TLS 1.0?
Regards, Christian
10-23-2014 05:07 AM
Hi Christian,
I would suggest to open a TAC case and request for the same. Discussion is happening around excluding SSLV3 according to the DDTS and this new request might also be considered if there is a demand.
Regards,
Kanwal
Note: Please mark answers if they are helpful.
10-24-2014 06:15 AM
TAC case opened as well to push for the enhancement.
Fingers crossed.
10-23-2014 12:14 AM
Hi,
do anyone know if cisco implement a solution in near future.
kind regards,
Flo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide