We have a requirement to disable SSLv3 support and enable TLS1.0, 1.1 and 1.2 within our environment. Since having upgraded to A5(3.1a) we have available to us the ability to use TLS1.0, 1.1 and 1.2 according to the release notes, however in practice i've found that there is no ability to have only TLS1.0, 1.1 and 1.2, (not SSLv3) applied to a given VIP (via the ssl-proxy commands). From testing i've found that if I want to be specific about the versions of TLS, only one can be applied at a time: E.g.
parameter-map type ssl SSL-TLS1.0
cipher RSA_WITH_AES_128_CBC_SHA priority 3
cipher RSA_WITH_AES_256_CBC_SHA priority 2
ssl-proxy service SSL-NISTEST
ssl advanced-options SSL-TLS1.0
I cannot apply TLS1.0, 1.1 and 1.2, to therefore support all browsers etc. I tried using "Up to TLS1.2" from the versions that were available, however this still includes SSLv3 which we do not want. Can Cisco confirm that my observations are correct and that I cannot add all 3 versions of TLS?