12-01-2016 08:18 AM
Hello,
Can I upgrade directly from A4(2.3) to A5(3.3) or A5(3.5) ?
I read to cisco relase note that :From Software Version A5(3.1b) ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2.
What configuration I need to do in version A5(3.3) or A5(3.5) for SSL issue?
Waiting for your feedback.
Thanks
Klodian
12-06-2016 12:08 PM
Hi Klodian,
Yes, you can upgrade it directly from A4.
- Not exactly sure, what did you mean by "configuration you need to do"...
- If you need it to support SSL v3:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_3_x/release/note/ACE_mod_rn_A53x.html
The following new commands have been added to support TLS1.1 and TLS1.2:
Note The configuration version Upto_TLS1_1 indicates that ACE supports SSL3.0, TLS1.0 and TLS1.1 versions.
Note The configuration version Upto_TLS1_2 indicates that ACE supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2 versions.
Hope this helps!
Regards,
Alex.
12-07-2016 01:41 AM
Hello Alex,
From Release Note A5(3.x) I see that SSLv3 supported until version A5(3.1a).
My current configuration in version A4(2.3) is (the config is version all - support all SSL versions upto TLS Version 1):
parameter-map type ssl PARAM_SSL
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
close-protocol disabled
version all
!
ssl-proxy service CTXWEB
ssl advanced-options PARAM_SSL
!
probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version all
request method get url /idp/status
open 1
expect regex "200 OK"
1) If I upgrade to version A5(3.5) the command
switch/Admin(config-parammap-ssl)# version all
does exist?
2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?
switch/Admin(config)#parameter-map type ssl PARAM_SSL
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
!
ssl-proxy service CTXWEB
ssl advanced-options PARAM_SSL
!
probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version Upto_TLS1_2
request method get url /idp/status
open 1
expect regex "200 OK"
3) I have to many probe configuration i need to go everyone to change the config ?
from:
ssl version all
to:
ssl version Upto_TLS1_2
Waiting for your feedback.
Thanks
Klodian
12-07-2016 09:21 AM
Hi Klodian,
-Yes, that is correct, From Release Note A5(3.x) SSLv3 is supported until version A5(3.1a).
1) If I upgrade to version A5(3.5) the command
switch/Admin(config-parammap-ssl)# version all
does exist?
- Yes, it still exist ( but SSLv3 is not supported in this release)
2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?
switch/Admin(config)#parameter-map type ssl PARAM_SSL
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
- Yes , it will support TLS 1.0; 1.1; 1.2
3) I have to many probe configuration i need to go everyone to change the config ?
from:
ssl version all
to:
ssl version Upto_TLS1_2
- "ssl version all" remains the same , and supports only TLS 1.0 1.1 and 1.2
If you are going to move to A5 3.1b and higher, you need to move your apps from SSLv3.
- If you definitely need SSLv3, then you have to stay at A5 3.1a or lower
Best Regards,
Alex.
12-09-2016 12:06 AM
Hello Alex,
I have planned the maintenance window for the end of December.
I would let you know after upgrade.
Thanks for your feedback.
Best Regards,
Klodian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: