Hi Libin,

I am able to disable the SSL3.

Can i change the TLS 1.0 to another version? TLS 1.2 or else?

Thanks.

Hi Libin,

Thanks for the informations.

Will upgrade the firmware accordingly.

Thanks.

Hi Libin,

I have upgrade the SMA into 10.1.0-052.

However in my sslconfig also have only TLS1.0.

Kindly advise.

> sslconfig

Disabling SSLv3 is recommended for best security.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
[]> versions

SSL/TLS versions may be enabled or disabled for the following services:

Updater - Update Service
EUQ - Spam Quarantine
WebUI - Appliance Management Web User Interface
LDAPS - Secure LDAP Services (including Authentication and External
Authentication)

Currently enabled SSL/TLS versions by service: (Y : Enabled, N : Disabled)

Updater EUQ WebUI LDAPS
SSLv3.0 N N N N
TLSv1.0 Y Y Y Y

Select the service for which to enable/disable SSL/TLS versions:

1. EUQ
2. Updater
3. WebUI
4. LDAPS
5. All Services
[]> 5

To change the setting for a specific protocol, select an option below:

1. SSLv3.0
2. TLSv1.0
[]> 2

TLSv1.0 is currently enabled for Updater, EUQ, WebUI, LDAPS.

Select one of the following options:

1. Disable for all services
2. Enable for all services
3. Keep current settings
[]>

I might be wrong now but my memory tells me:

ESA Version 10.1.x supports TLS 1.2

SMA only Version 11 ETA late Q2 early Q3 2017 will support TLS 1.2

Apparently, the release notes are wrong. I just updated to 10.1.0-052, but the CLI still only shows TLS 1.0. 

Quick update on the issue: https://www.cisco.com/c/dam/en/us/td/docs/security/security_management/sma/sma10-0/SMA_10-0_Release_Notes.pdf states TLS 1.2 support in 10.1.0-052 on page 2, but this is for Web Security Appliances, not for the SMA. I wonder why this is in the release notes for SMA.

In the meantime we upgraded our SMA to 11.0.0-136 with TLS 1.2 support.