cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10066
Views
15
Helpful
18
Replies

ACE30 (A5(3.1a)) SSL Parameter map

sgonsalv
Level 1
Level 1

Hi Guys,

We have a requirement to disable SSLv3 support and enable TLS1.0, 1.1 and 1.2 within our environment.  Since having upgraded to A5(3.1a) we have available to us the ability to use TLS1.0, 1.1 and 1.2 according to the release notes, however in practice i've found that there is no ability to have only TLS1.0, 1.1 and 1.2, (not SSLv3) applied to a given VIP (via the ssl-proxy commands). From testing i've found that if I want to be specific about the versions of TLS, only one can be applied at a time:  E.g.

parameter-map type ssl SSL-TLS1.0
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 3
  cipher RSA_WITH_AES_256_CBC_SHA priority 2
  version TLS1

ssl-proxy service SSL-NISTEST
  key NISTEST-KEY.pem
  cert NISTEST-CRT-RENEWED.pem
  chaingroup SSL-AUSCERTS-SERVER-CHAIN
  ssl advanced-options SSL-TLS1.0

 

I cannot apply TLS1.0, 1.1 and 1.2, to therefore support all browsers etc.  I tried using "Up to TLS1.2" from the versions that were available, however this still includes SSLv3 which we do not want.  Can Cisco confirm that my observations are correct and that I cannot add all 3 versions of TLS?  

 

thanks

Sheldon

 

18 Replies 18

Hello Kanwal,

 

just in case: in CSCur33237, will you also implement the possibility to configure multiple TLS versions but not all of them in a parameter map? For example someting like this:

parameter-map type ssl SSL-Config

   version TLS1_1

   version TLS1_2

   cipher ...

 

to only enable TLS 1.1 and 1.2, but NOT TLS 1.0?

 

Regards, Christian

Hi Christian,

I would suggest to open a TAC case and request for the same. Discussion is happening around excluding SSLV3 according to the DDTS and this new request might also be considered if there is a demand. 

Regards,

Kanwal

Note: Please mark answers if they are helpful.

TAC case opened as well to push for the enhancement.

 

Fingers crossed.

Hi,

do anyone know if cisco implement a solution in near future.

 

kind regards,

Flo

Review Cisco Networking for a $25 gift card