12-01-2016 08:18 AM
Hello,
Can I upgrade directly from A4(2.3) to A5(3.3) or A5(3.5) ?
I read to cisco relase note that :From Software Version A5(3.1b) ACE will no longer support SSLv3 version of SSL. ACE will support the following SSL versions TLS1.0, TLS1.1, and TLS1.2.
What configuration I need to do in version A5(3.3) or A5(3.5) for SSL issue?
Waiting for your feedback.
Thanks
Klodian
12-06-2016 12:08 PM
Hi Klodian,
Yes, you can upgrade it directly from A4.
- Not exactly sure, what did you mean by "configuration you need to do"...
- If you need it to support SSL v3:
http://www.cisco.com/c/en/us/td/docs/interfaces_modules/services_modules/ace/vA5_3_x/release/note/ACE_mod_rn_A53x.html
The following new commands have been added to support TLS1.1 and TLS1.2:
Note The configuration version Upto_TLS1_1 indicates that ACE supports SSL3.0, TLS1.0 and TLS1.1 versions.
Note The configuration version Upto_TLS1_2 indicates that ACE supports SSL3.0, TLS1.0, TLS1.1 and TLS1.2 versions.
Hope this helps!
Regards,
Alex.
12-07-2016 01:41 AM
Hello Alex,
From Release Note A5(3.x) I see that SSLv3 supported until version A5(3.1a).
My current configuration in version A4(2.3) is (the config is version all - support all SSL versions upto TLS Version 1):
parameter-map type ssl PARAM_SSL
cipher RSA_WITH_RC4_128_MD5
cipher RSA_WITH_RC4_128_SHA
cipher RSA_WITH_DES_CBC_SHA
cipher RSA_WITH_3DES_EDE_CBC_SHA
cipher RSA_WITH_AES_128_CBC_SHA
cipher RSA_WITH_AES_256_CBC_SHA
close-protocol disabled
version all
!
ssl-proxy service CTXWEB
ssl advanced-options PARAM_SSL
!
probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version all
request method get url /idp/status
open 1
expect regex "200 OK"
1) If I upgrade to version A5(3.5) the command
switch/Admin(config-parammap-ssl)# version all
does exist?
2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?
switch/Admin(config)#parameter-map type ssl PARAM_SSL
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
!
ssl-proxy service CTXWEB
ssl advanced-options PARAM_SSL
!
probe https IDP-PROD-UST_8021-CHECK
description PROBE for UST IDP PROD
port 8021
interval 15
passdetect interval 60
ssl version Upto_TLS1_2
request method get url /idp/status
open 1
expect regex "200 OK"
3) I have to many probe configuration i need to go everyone to change the config ?
from:
ssl version all
to:
ssl version Upto_TLS1_2
Waiting for your feedback.
Thanks
Klodian
12-07-2016 09:21 AM
Hi Klodian,
-Yes, that is correct, From Release Note A5(3.x) SSLv3 is supported until version A5(3.1a).
1) If I upgrade to version A5(3.5) the command
switch/Admin(config-parammap-ssl)# version all
does exist?
- Yes, it still exist ( but SSLv3 is not supported in this release)
2) If I upgrade to version A5(3.5) i need to do only this change(blue color) including the probe config?
switch/Admin(config)#parameter-map type ssl PARAM_SSL
switch/Admin(config-parammap-ssl)# version Upto_TLS1_2
- Yes , it will support TLS 1.0; 1.1; 1.2
3) I have to many probe configuration i need to go everyone to change the config ?
from:
ssl version all
to:
ssl version Upto_TLS1_2
- "ssl version all" remains the same , and supports only TLS 1.0 1.1 and 1.2
If you are going to move to A5 3.1b and higher, you need to move your apps from SSLv3.
- If you definitely need SSLv3, then you have to stay at A5 3.1a or lower
Best Regards,
Alex.
12-09-2016 12:06 AM
Hello Alex,
I have planned the maintenance window for the end of December.
I would let you know after upgrade.
Thanks for your feedback.
Best Regards,
Klodian
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide