Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2060
Views
0
Helpful
3
Replies

BEAST Vulnerability on ACE

Go to solution
jason.williams
Level 1
Level 1

‎01-11-2013 10:31 AM

Does anyone know of a fix for the Beast vulnerability on the ACE 20 module?

Is there a way to enable TLS 1.1 and/or 1.2?  How can I verify that SSL 2.0 is disabled?  Also, is there any way to prioritize the ciphers to ensure that RC4 is used first?

Thanks.

Jason

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Alex Rickard
Level 1
Level 1

‎01-11-2013 11:34 AM

The SSL and TLS version can be specified by using the version command in the parameter map. The keywords for the version command are:

all—(Default) The ACE supports both SSL Version 3.0 and Transport Layer Security (TLS) Version 1.0.

ssl3—The ACE supports only SSL Version 3.0.

tls1—The ACE supports only TLS Version 1.0.

You can also prioritize the ciphers by setting the priority. The higher priority is more preferred.

cipher cipher_name [priority cipher_priority]

Here is the link to the ACE SSL guide that details defining the SSL and TLS versions:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/terminat.html#wp1219945

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Alex Rickard
Level 1
Level 1

‎01-11-2013 11:34 AM

The SSL and TLS version can be specified by using the version command in the parameter map. The keywords for the version command are:

all—(Default) The ACE supports both SSL Version 3.0 and Transport Layer Security (TLS) Version 1.0.

ssl3—The ACE supports only SSL Version 3.0.

tls1—The ACE supports only TLS Version 1.0.

You can also prioritize the ciphers by setting the priority. The higher priority is more preferred.

cipher cipher_name [priority cipher_priority]

Here is the link to the ACE SSL guide that details defining the SSL and TLS versions:

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA5_1_0/configuration/ssl/guide/terminat.html#wp1219945

0 Helpful

Go to solution
jason.williams
Level 1
Level 1
In response to Alex Rickard

‎01-11-2013 11:40 AM

That will work.  Hopefully Cisco will enable TLS 1.1/2 soon, but for now prioritizing the cipher should allow us to pass a PCI audit.

Thank you.

Jason

0 Helpful

Go to solution
Alex Rickard
Level 1
Level 1
In response to jason.williams

‎01-11-2013 11:45 AM

Here is also the link for the ACE20 code SSL guide. The one I sent earlier was for the A5 version. The support is the same though.

http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/vA2_3_0/configuration/ssl/guide/terminat.html#wp1078413

Defining the SSL and TLS Versions

You can specify the version of the security protocol that the ACE supports during the SSL handshake with its peer by using the version command in parameter map SSL configuration mode.

The syntax of this command is as follows:

version {all | ssl3 | tls1}

The keywords are as follows:

all—(Default) The ACE supports both SSL Version 3.0 and Transport Layer Security (TLS) Version 1.0.

ssl3—The ACE supports only SSL Version 3.0.

tls1—The ACE supports only TLS Version 1.0.

For example, to specify SSL Version 3.0 for the parameter map, enter: 

host1/Admin(config)# parameter-map type ssl PARAMMAP_SSL


host1/Admin(config-parammap-ssl)# version ssl3


To remove a security protocol version from the SSL proxy parameter map, enter: 

host1/Admin(config-parammap-ssl)# no version tlsl
0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card