Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1911
Views
0
Helpful
6
Replies

Pls help me to understand

Go to solution
Steflstefan
Level 1
Level 1

‎08-21-2019 04:49 AM

For Version 12.5 on SSL Cert-Config is written:

"TLSv1.0 and TLSv1.1 cannot be enabled simultaneously, but both can be enabled for use with TLSv1.2."

 

What does it mean?

TLSv1.2 + v1.1 + v1.0 enabled is NOT ok?
but
TLSv1.2 + v1.1 OR TLSv1.2 + v1.0 is ok?

 

Or it mean
TLSv1.2 + v1.1 + v1.0 enabled simultaneously is ok
but without TLSv1.2, only v1.1 OR 1.0 can be enabled?

 

It's a little difficult to understand for me.

Thanks for explaining

Stefan 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎08-21-2019 05:27 AM

Hi Stephan,

I believe that you are referring about the details in the release note of Async OS version 12.5 (also in release notes of version 12.1) which states as follows:

SSL Configuration Changes - After you upgrade to this release, you cannot enable TLS v1.0 and v1.2 methods simultaneously. However, you can enable these methods in conjunction with the TLS v.1.1 method, when you configure SSL settings.

If that is the case then it means that in order to use TLS v1.0 along with TLS v1.2, you need to have TLS v1.1 enabled otherwise both TLS v1.0 and TLSv1.2 cannot be enabled simultaneously i.e.

TLS v1.0 + TLS v1.1 + TLS v1.2 = OK
TLS v1.0 + TLS v1.2 = Not OK
TLS v1.0 + TLS v1.1 = OK
TLS v1.1 + TLS v1.2 = OK

Reference Release notes as below:
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-5/ESA_12-5_Release_Notes.pdf
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-1/ESA_12-1_Release_Notes.pdf

I hope this helps!

Cheers,
Pratham

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎08-21-2019 05:18 AM

can you provide the source where you read this, because this makes no sense, I suspect this is more around backward compatibility

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to Dennis Mink

‎08-21-2019 05:31 AM

It's in the help or the question mark hover in the gui.

It means you can't check just TLS1.2 and TLS1.0 together. You have to have TLS1.1 checked also.

Or put another way, of all the possible combinations of 1.0, 1.1,&1.2;

1.0&1.2 is the only invalid one.


0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee

‎08-21-2019 05:27 AM

Hi Stephan,

I believe that you are referring about the details in the release note of Async OS version 12.5 (also in release notes of version 12.1) which states as follows:

SSL Configuration Changes - After you upgrade to this release, you cannot enable TLS v1.0 and v1.2 methods simultaneously. However, you can enable these methods in conjunction with the TLS v.1.1 method, when you configure SSL settings.

If that is the case then it means that in order to use TLS v1.0 along with TLS v1.2, you need to have TLS v1.1 enabled otherwise both TLS v1.0 and TLSv1.2 cannot be enabled simultaneously i.e.

TLS v1.0 + TLS v1.1 + TLS v1.2 = OK
TLS v1.0 + TLS v1.2 = Not OK
TLS v1.0 + TLS v1.1 = OK
TLS v1.1 + TLS v1.2 = OK

Reference Release notes as below:
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-5/ESA_12-5_Release_Notes.pdf
https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-1/ESA_12-1_Release_Notes.pdf

I hope this helps!

Cheers,
Pratham
0 Helpful

Go to solution
Steflstefan
Level 1
Level 1
In response to ppreenja

‎08-21-2019 07:15 AM

Hello Pratham,
It's really helping me. We already discussed it in the team and at the end we had three opinions, each of which sounded plausible.
We now have a winner who can look forward to a beer.
0 Helpful

Go to solution
ppreenja
Cisco Employee
Cisco Employee
In response to Steflstefan

‎08-21-2019 08:01 AM

Hello Steflstefan,

Glad to know that I was able to help. :)

Cheers,
Pratham
0 Helpful

Go to solution
Steflstefan
Level 1
Level 1

‎08-21-2019 05:31 AM

a picture from ESA GUI System Administration \ SSL Configuration

 

I think I've it also read in 12.5 release notes, but not sure...

Preview file
16 KB
0 Helpful
Customers Also Viewed These Support Documents