I configured ASA with
sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1
ssl trust-point ASDM_TrustPoint1 outside
ssl certificate-authentication fca-timeout 2
But when i run the command
sh crypto ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1 ???
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1
Need to know why ASA is showing Accept connections using SSLv3?
If you like to disable SSLv3 on the ASA device , use this option:-
ssl server-version tlsv1-only
Thanks and Regards,
This thread is old however since no confirmation was given by OP that this worked I'd like to hope it can be reopened. I'm trying to run this "tlsv1.2-only" command in reference to the same issue but the ASA returns with "ERROR: % Invalid Input detected at Marker" and it references the "-only".
Is this command not active in ASA version 9.7?
I also need to completely shut off TLS 1.0/SSLv3 but am still seeing the message "Accept connections using SSLv3..." even after forcing TLS 1.2 on both Server and Client versions.
I believe the output of the "show" command is in error. If we configure the settings as suggested:
ssl server-version tlsv1.2 dtlsv1.2 ssl client-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
...and then run nmap with the enum-ciphers (enumerate cryptographic cipher support of the target system https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html), we get
Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-30 12:52 Malay Peninsula Standard Time
Nmap scan report for 172.31.1.21
Host is up (0.00s latency).
PORT STATE SERVICE VERSION
443/tcp open ssl/http Cisco ASA SSL VPN
|_http-trane-info: Problem with XML parsing of /evox/about
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| cipher preference: server
|_ least strength: A
You can also confirm using openssl and attempting to force an sslv3 connection as follows:
root@eve-ng:~# openssl s_client -connect 172.31.1.21:443 -ssl3 140475002840728:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878: root@eve-ng:~#
NOTE: Make sure all of your clients have current AnyConnect software (4.7 or later). Otherwise older versions may fail to establish a connection with the server (ASA) when you tighten things down too much:
Thank you so much for confirming what I suspected, that the SHOW result is not 100% accurate. I ran NMAP with ssl-enum-ciphers as you recommended and you were absolutely correct! I got a return showing ONLY TLS 1.2 active on the ports.
Really appreciate you solving this mystery!