Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
553
Views
0
Helpful
4
Replies

To fix SSL3 and Poodle vulnerability on ASA 5520 running code 8.2(2) will the command "ssl server-version tlsv1" do the trick?

Go to solution
KavehSheikh_2
Level 1
Level 1

‎05-07-2015 03:03 PM - edited ‎03-11-2019 10:54 PM

Hi All,

To fix SSLv3 and Poodle vulnerability on ASA 5520 running code 8.2(2), will the command "ssl server-version tlsv1"  do the trick or do I have to upgrade the software version? If I can fix this without a software upgrade, it would b great. While the command apparently is available in 8.2.(2), i cannot find an article that confirms that this will fix the issue - A lot has been said about upgrading to 8.4, but because NAT statements change dynamically from 8.2. to 8.4 I really would like to avoid a code upgrade.   Thank you 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-07-2015 04:10 PM

"ssl server-version tlsv1" will solve the vulnerability for the SSL-POODLE. But you are still vulnerable to TLS-POODLE. For that you need to upgrade to 8.2.5.55 or higher (for 8.2).

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Karsten Iwen
VIP
VIP

‎05-07-2015 04:10 PM

"ssl server-version tlsv1" will solve the vulnerability for the SSL-POODLE. But you are still vulnerable to TLS-POODLE. For that you need to upgrade to 8.2.5.55 or higher (for 8.2).

0 Helpful

Go to solution
KavehSheikh_2
Level 1
Level 1
In response to Karsten Iwen

‎05-08-2015 07:05 AM

Thank you! I believe the "New NAT" was introduced in version 8.3, so upgrading from 8.2.2 to 8.2.5.55 should be straight forward.

With that said, according to the page below, I also have to upgrade Any-Connect clients to version 4.x and higher. At this point I wonder if Any-Connect clients have to be upgraded to 4.x before configuring the ASA with "ssl server-version tlsv1". Any thoughts?

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html#anc4

 

Thank you

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to KavehSheikh_2

‎05-08-2015 07:23 AM

With the mentioned update, the NAT-model will stay the same. I would expect the update to be quite easy.

Upgrading to AnyConnect 4.0 is not needed and won't give you any security-benifit in regard to TLS. For the higher security mentioned in the document you need AC 4 *and* an ASA that runs 9.3 or higher as with that combination TLS1.2 is supported.

The SSL-server-version can also be configured to tlsv1-only with the actual AC3.1 client. 

0 Helpful

Go to solution
KavehSheikh_2
Level 1
Level 1
In response to Karsten Iwen

‎05-08-2015 03:15 PM

Thank you for the quick response.

I will make the config change early next week.

 

Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card