Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1100
Views
5
Helpful
5
Replies

CSCvi80849 - Cisco Firepower 2100 Series POODLE TLS security scanner alerts

ThatOtherITDude
Level 1
Level 1

‎01-27-2020 08:35 AM

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvi80849/?rfs=iqvred

 

Does anyone know what versions of FTD code fix this issue? The bug article only lists FXOS and ASA versions.

1 person had this problem
Labels:
5 Replies 5

Rob2041
Level 1
Level 1

‎08-19-2022 09:54 AM - edited ‎08-19-2022 09:55 AM

If you make a custom cipher set with TLS1.2 only and only use 

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384

TLS_DHE_RSA_WITH_AES_256_GCM_SHA384

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384

TLS_DHE_RSA_WITH_AES_256_CBC_SHA256

The Poodle TLS issue will go away.

This is running FTD 7.0.1

0 Helpful

DWPCC
Level 1
Level 1
In response to Rob2041

‎11-16-2023 12:58 PM

Where does this custom cipher set get created? 

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to Rob2041

‎01-12-2024 04:50 AM

Hi,

I am sorry, but according to this https://blog.qualys.com/product-tech/2019/04/22/zombie-poodle-and-goldendoodle-vulnerabilities the problem will remain until you remove CBC ciphers.

You can edit ciphers in FMC under Devices -> Platform settings -> SSL -> Protocol version

HTH,

Pavel

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Pavel Pokorny

‎01-17-2024 08:23 AM

Yes remove all CBC-based ciphers in your custom set for TLSv1.2 and DTLSv1.2. I use the following and get an A+ from Qualys SSL Labs:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl server-max-version tlsv1.3
ssl client-max-version tlsv1.3
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl cipher tlsv1.3 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl dh-group group14
ssl ecdh-group group19

 The above should work fine as platform settings for any FTD 7.0 or greater.

0 Helpful

Pavel Pokorny
Level 1
Level 1
In response to Marvin Rhoads

‎01-17-2024 09:43 AM

Hi Marvin,

Same for me. I think you can even remove ECDSA ciphers from TLS 1.2. Most of the certificates I have met are with RSA key. 

Regards,

Pavel

0 Helpful
Customers Also Viewed These Support Documents