01-27-2020 08:35 AM
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi80849/?rfs=iqvred
Does anyone know what versions of FTD code fix this issue? The bug article only lists FXOS and ASA versions.
08-19-2022 09:54 AM - edited 08-19-2022 09:55 AM
If you make a custom cipher set with TLS1.2 only and only use
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
The Poodle TLS issue will go away.
This is running FTD 7.0.1
11-16-2023 12:58 PM
Where does this custom cipher set get created?
01-12-2024 04:50 AM
Hi,
I am sorry, but according to this https://blog.qualys.com/product-tech/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities the problem will remain until you remove CBC ciphers.
You can edit ciphers in FMC under Devices -> Platform settings -> SSL -> Protocol version
HTH,
Pavel
01-17-2024 08:23 AM
Yes remove all CBC-based ciphers in your custom set for TLSv1.2 and DTLSv1.2. I use the following and get an A+ from Qualys SSL Labs:
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl server-max-version tlsv1.3
ssl client-max-version tlsv1.3
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl cipher tlsv1.3 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl dh-group group14
ssl ecdh-group group19
The above should work fine as platform settings for any FTD 7.0 or greater.
01-17-2024 09:43 AM
Hi Marvin,
Same for me. I think you can even remove ECDSA ciphers from TLS 1.2. Most of the certificates I have met are with RSA key.
Regards,
Pavel
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide