cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


666
Views
5
Helpful
4
Replies
Frequent Contributor

Confirmation that SSLV3 is disabled on ASA

 

Hi Everyone,

 

I configured ASA with

sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1-only

ssl encryption aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1
ssl trust-point ASDM_TrustPoint1 outside
ssl certificate-authentication fca-timeout 2
 

But when i run the command

sh crypto ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1   ???
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1
 

Need to know why ASA is showing Accept connections using SSLv3?

Regards

MAhesh

4 REPLIES 4
Cisco Employee

Hi,If you like to disable

Hi,

If you like to disable SSLv3 on the ASA device , use this option:-

ssl server-version tlsv1-only

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Thanks and Regards,

Vibhor Amrodia


 

Beginner

Re: Hi,If you like to disable

This thread is old however since no confirmation was given by OP that this worked I'd like to hope it can be reopened. I'm trying to run this "tlsv1.2-only" command in reference to the same issue but the ASA returns with "ERROR: % Invalid Input detected at Marker" and it references the "-only".

 

Is this command not active in ASA version 9.7?

 

I also need to completely shut off TLS 1.0/SSLv3 but am still seeing the message "Accept connections using SSLv3..." even after forcing TLS 1.2 on both Server and Client versions.

Highlighted
Hall of Fame Master

Re: Hi,If you like to disable

I believe the output of the "show" command is in error. If we configure the settings as suggested:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
ssl dh-group14

...and then run nmap with the enum-ciphers (enumerate cryptographic cipher support of the target system https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html), we get

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-30 12:52 Malay Peninsula Standard Time 
Nmap scan report for 172.31.1.21
Host is up (0.00s latency).

PORT STATE SERVICE VERSION
443/tcp open ssl/http Cisco ASA SSL VPN
|_http-trane-info: Problem with XML parsing of /evox/about
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A
| compressors:
| NULL
| cipher preference: server
|_ least strength: A

You can also confirm using openssl and attempting to force an sslv3 connection as follows:

root@eve-ng:~# openssl s_client -connect 172.31.1.21:443 -ssl3
140475002840728:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878:
root@eve-ng:~#

NOTE: Make sure all of your clients have current AnyConnect software (4.7 or later). Otherwise older versions may fail to establish a connection with the server (ASA) when you tighten things down too much:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz41966/?rfs=iqvred

Beginner

Re: Hi,If you like to disable

Marvin,

 

Thank you so much for confirming what I suspected, that the SHOW result is not 100% accurate. I ran NMAP with ssl-enum-ciphers as you recommended and you were absolutely correct! I got a return showing ONLY TLS 1.2 active on the ports.

 

Really appreciate you solving this mystery!