Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5934
Views
5
Helpful
8
Replies

ASA 9.4; HOW TO VERIFY OPENSSL VERSION

Go to solution
M Mohammed
Level 1
Level 1

‎10-19-2017 03:44 AM - edited ‎03-08-2019 07:26 PM

Hi all,

 

how can i review what version of OPENSSL is being used and is it safe or need an upgrade.

 

Many thanks

 

MM

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
M Mohammed
Level 1
Level 1
In response to Ken Stieers

‎12-19-2017 08:04 AM

resolved the issue, had to upgrade the ios to 9.8.

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Ken Stieers
VIP
VIP

‎10-19-2017 07:55 AM

Check the "Open source used in Cisco ASA..." docs on their site

 

Here is the one for 9.4.1

https://www.cisco.com/c/dam/en/us/td/docs/security/asa/asa94/license/open-source/Cisco_ASA_Series_941.pdf

 

The latest suggested release is 9.4.4, at the very least you want 9.4(4)5 (has fix for CSCvd78303)

Go to solution
M Mohammed
Level 1
Level 1
In response to Ken Stieers

‎10-19-2017 08:12 AM

Hi Ken,

 

Many thanks for the information.

 

could you please advise how i can verify by using CLI or ASDM on asa what version of OpenSSL is being used and is that the correct version, and if not how to upgrade it.

 

Best regards,

 

MM

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to M Mohammed

‎10-19-2017 08:15 AM

You can't do it that way.

You check the version of ADSM/ASA and go to the documentation.




0 Helpful

Go to solution
M Mohammed
Level 1
Level 1
In response to Ken Stieers

‎10-19-2017 08:25 AM

Many thanks Ken

0 Helpful

Go to solution
M Mohammed
Level 1
Level 1
In response to M Mohammed

‎10-20-2017 01:48 AM

Hi Ken,

 

this is the below report we have got for pen test

 

OpenSSL was outdated. A suitably placed attacker may be able to decrypt or forge SSL messages by telling the service to begin encrypted communications before key material has been exchanged, which causes predictable keys to be used for future communications. SSL-Session: Protocol
Update the OpenSSL encryption library to the latest available version. Tools such as NMAP (using the script ‘-p- --script=ssl-ccs-injection’) may be used to verify this issue.

 

what procedure should i follow to comply with this issue

 

Please advise

 

Many thanks

 

MM

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to M Mohammed

‎10-20-2017 03:51 AM

2 things: ask pen tester exactly what vulnerability they are hitting

Then open TAC case to get Cisco to give you the right version of ASA code...

You might want to ask this in the ASA forum... you're posting in Email security
0 Helpful

Go to solution
M Mohammed
Level 1
Level 1
In response to Ken Stieers

‎12-19-2017 08:04 AM

resolved the issue, had to upgrade the ios to 9.8.

0 Helpful

Go to solution
oreastri
Cisco Employee
Cisco Employee

‎04-18-2022 10:58 AM

Hello,

 

Just run this command from cli 

openssl version

openssl version –help

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents