cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5147
Views
5
Helpful
8
Replies

ASA 9.4; HOW TO VERIFY OPENSSL VERSION

M Mohammed
Beginner
Beginner

Hi all,

 

how can i review what version of OPENSSL is being used and is it safe or need an upgrade.

 

Many thanks

 

MM

1 Accepted Solution

Accepted Solutions

resolved the issue, had to upgrade the ios to 9.8.

View solution in original post

8 Replies 8

Ken Stieers
VIP Advisor VIP Advisor
VIP Advisor

Check the "Open source used in Cisco ASA..." docs on their site

 

Here is the one for 9.4.1

https://www.cisco.com/c/dam/en/us/td/docs/security/asa/asa94/license/open-source/Cisco_ASA_Series_941.pdf

 

The latest suggested release is 9.4.4, at the very least you want 9.4(4)5 (has fix for CSCvd78303)

Hi Ken,

 

Many thanks for the information.

 

could you please advise how i can verify by using CLI or ASDM on asa what version of OpenSSL is being used and is that the correct version, and if not how to upgrade it.

 

Best regards,

 

MM

You can't do it that way.

You check the version of ADSM/ASA and go to the documentation.




Many thanks Ken

Hi Ken,

 

this is the below report we have got for pen test

 

OpenSSL was outdated. A suitably placed attacker may be able to decrypt or forge SSL messages by telling the service to begin encrypted communications before key material has been exchanged, which causes predictable keys to be used for future communications. SSL-Session: Protocol
Update the OpenSSL encryption library to the latest available version. Tools such as NMAP (using the script ‘-p- --script=ssl-ccs-injection’) may be used to verify this issue.

 

what procedure should i follow to comply with this issue

 

Please advise

 

Many thanks

 

MM

2 things: ask pen tester exactly what vulnerability they are hitting

Then open TAC case to get Cisco to give you the right version of ASA code...

You might want to ask this in the ASA forum... you're posting in Email security

resolved the issue, had to upgrade the ios to 9.8.

oreastri
Cisco Employee
Cisco Employee

Hello,

 

Just run this command from cli 

openssl version

openssl version –help

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers