cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
11272
Views
15
Helpful
18
Replies

ACE30 (A5(3.1a)) SSL Parameter map

sgonsalv
Level 1
Level 1

Hi Guys,

We have a requirement to disable SSLv3 support and enable TLS1.0, 1.1 and 1.2 within our environment.  Since having upgraded to A5(3.1a) we have available to us the ability to use TLS1.0, 1.1 and 1.2 according to the release notes, however in practice i've found that there is no ability to have only TLS1.0, 1.1 and 1.2, (not SSLv3) applied to a given VIP (via the ssl-proxy commands). From testing i've found that if I want to be specific about the versions of TLS, only one can be applied at a time:  E.g.

parameter-map type ssl SSL-TLS1.0
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 3
  cipher RSA_WITH_AES_256_CBC_SHA priority 2
  version TLS1

ssl-proxy service SSL-NISTEST
  key NISTEST-KEY.pem
  cert NISTEST-CRT-RENEWED.pem
  chaingroup SSL-AUSCERTS-SERVER-CHAIN
  ssl advanced-options SSL-TLS1.0

 

I cannot apply TLS1.0, 1.1 and 1.2, to therefore support all browsers etc.  I tried using "Up to TLS1.2" from the versions that were available, however this still includes SSLv3 which we do not want.  Can Cisco confirm that my observations are correct and that I cannot add all 3 versions of TLS?  

 

thanks

Sheldon

 

1 Accepted Solution

Accepted Solutions

Hi Sheldon,

You are right about the behavior and unfortunately there is not a way to achieve what you want. I see the similar requests internally here escalated to development. If there is any enhancement request around this and is decided to be implemented in next release, i will update here.

Regards,

Kanwal

Note: Please mark answers if they are helpful

View solution in original post

18 Replies 18

Kanwaljeet Singh
Cisco Employee
Cisco Employee

Hi Sheldon,

Please use "Upto_TLS1_2 " and do "no version ssl3", it takes it but unfortunately won't show in configuration and i haven't tested if it has any effect. Can you try this?

1/Admin(config-parammap-ssl)# no version ssl3

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Hi There,

I tried that as well though and it doesn't work unfortunately.  If you issue "Upto_TLS1.2" and then "no version SSL3", it removes any previous version configured altogether, i.e. it removes Upto_TLS1.2.

 

Any other ideas from CIsco personnel that see these posts??  It would appear then that I can't just specify TLS1.0 +.

 

thanks

Sheldon

Hi Sheldon,

You are right about the behavior and unfortunately there is not a way to achieve what you want. I see the similar requests internally here escalated to development. If there is any enhancement request around this and is decided to be implemented in next release, i will update here.

Regards,

Kanwal

Note: Please mark answers if they are helpful

Thanks - i'll keep an eye on this.  I actually logged a TAC case as well and learnt of the same.

Cheers

Sheldon

Just to finish this thread off, Cisco released A5(3.1b) in late November 2014. This version disabled SSL3.0 so therefore when you use the command "Upto_TLS1.2" you enable TLS 1.0, TLS 1.1 & TLS 1, that's all. Then just sort out a good set of ciphers and you're done.

An example of the config to use in your parameter map is below. This will have reasonable backward compatibility while adding support for TLS 1.1 & TLS 1.2.

 

  cipher RSA_WITH_3DES_EDE_CBC_SHA priority 2

  cipher RSA_WITH_AES_128_CBC_SHA priority 3

  cipher RSA_WITH_AES_256_CBC_SHA priority 4

  cipher RSA_WITH_AES_128_CBC_SHA256 priority 5

  session-cache timeout 600

  version Upto_TLS1_2

Hi Tim,

We are also facing the same issue. We have upgraded to A5(3.1b). We have configured the following on the Cisco ACE.

Please find attached the configs and # sh stats crypto client ouput done on the ACE.

 
Even after the configs, SSLv3 authentication cache hits are found
 
Request you to kindly review the config and suggest the necessary changes.
 
 
Regards,
Nithin

 

 

Hi Nithin,

Your stats looks OK to me. Looks like it is all good. Why do you think you are still using SSL3?

Also, did you specifically not want to use the TLS 1.1 and TLS 1.2?

Is there any reason you want to keep the MD5 cipher?

 

Cipher tlsv1_rsa_rc4_128_md5:                    20
Cipher tlsv1_rsa_rc4_128_sha:                     0
Cipher tlsv1_rsa_des_cbc_sha:                   714
Cipher tlsv1_rsa_3des_ede_cbc_sha:           410321

 

SSLv3 negotiated protocol:                        0
TLSv1 negotiated protocol:                   411055
SSLv3 full handshakes:                            0
SSLv3 resumed handshakes:                         0
SSLv3 rehandshakes:                               0
SSLv3 secured rehandshakes:                       0
TLSv1 full handshakes:                       411053
TLSv1 resumed handshakes:                         0
TLSv1 rehandshakes:                               0
TLSv1 secured rehandshakes:                       0
SSLv3 handshake failures:                         0
SSLv3 failures during data phase:                 0
TLSv1 handshake failures:                         2
TLSv1 failures during data phase:                 0

Hi Tim,

Thanks a lot for your reply.

In the parameter-map, we have given #no version ssl3 and given version TLS1. 

In #sh stats crypto client, we are able to see the SSL authentication cache hits.

+-----------------------------------------------+
+--- Crypto client authentication statistics ---+
+-----------------------------------------------+
Total SSL client authentications:                 0
Failed SSL client authentications:                0
SSL authentication cache hits:               415342
SSL static CRL lookups:                           0
SSL best effort CRL lookups:                      0
SSL CRL lookup cache hits:                        0
SSL static OCSP lookups:                          0
SSL best effort OCSP lookups:                     0
SSL OCSP lookup cache hits:                       0
SSL revoked certificates:                         0
Total SSL server authentications:            415412
Failed SSL server authentications:                0

 

When checked on the browser, SSLv3 is still shown. How to disable this completely and enable only TLSv1.

Request your valuable inputs on this.

 

Regards,
Nithin.

 

Hi Tim,

Regarding the TLS1.1 and TLS1.2, there's no specific reason for that. We had just enabled only TLSv1.

Regarding the cipher, we had enabled only "RSA_WITH_3DES_EDE_CBC_SHA" in the parameter-map.

Regards,
Nithin.

Hi Nithin, personally I would recommend enabling TLS 1.1 & TLS 1.2 using the "version Upto_TLS1_2" option. The reason being that some people are disabling TLSv1.0 in their browsers (not me). Add a few extra AES ciphers too if you can, I found the AES ciphers performed better in our environment. I just kept the 3DES cipher for compatibility with older browsers.

Kind regards,

Tim

Hi Tim,

Thanks a lot for your response. Appreciate it.

 

Regards,
Nithin.

It appears Cisco will release one more software version for the ACE30 & 4710 - A5(3.3) due late August. This will patch some more SSL vulnerabilities

Hi Nithin, in response to the SSL stats above, that represents SSL authentication, it is not referring to the protocol SSLv3. It can be misleading..Those cache hits are OK.

If you look at my post where I cut and pasted your stats, I bolded the protocols that were hit, none of them are SSLv3. If you are running A5(3.1b) SSLv3 is disabled

I recommend you try the settings I provided above. If your site is visible to the WWW then you can check its SSL status at various sites. One good one is the Qualys SSL server check here: https://www.ssllabs.com/ssltest/index.html

Or you can try Wormly: https://www.wormly.com/test_ssl

Also, Cisco just released A5(3.2) last night which will be the final software release for the ACE line. It has quite a few security fixes and a few bug fixes.

Kind regards,

Tim

 

Hi Sheldon,

An enhancement request has been opened already:

CSCur33237    Need to allow all TLS versions but not SSLv3 in parameter-map

Once there is any ETA or update for it to implemented, i will post it here.  It is also better to open a TAC case. More the demand, more the chances of getting it implemented.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Review Cisco Networking for a $25 gift card