cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
10365
Views
5
Helpful
9
Replies

Disable TLS 1.0 on VCS / Expressway

William Kok
Level 1
Level 1

Hi There,

For the Bug CSCuz16292

Disable backward compatibility for TLS version 1.0

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz16292/?referring_site=bugquickviewredir

Does anyone know how to disable the TLS v1 on the VCS / expressway?

Regards,

William

9 Replies 9

Manish Gogna
Cisco Employee
Cisco Employee

--Edited --

Hi William,

This option is available in x8.8 as per an internal bug.  VCS x8.8 includes a way to select the TLS version to be used in SIP communications. Please log in via SSH (with PUTTY) and try the command

xConfiguration SIP Advanced SipTlsVersions ?

It will offer the options ( TLSv1.1:TLSv1.2)

HTH

Manish

Hi Manish,

Thanks for the reply. You name is familiar to me, I believe you might help on some of my TAC case.

I have no promission to access the link you posted, but I will try on my lab with the version of 8.8 on the config.

Thanks & Regards,

William

Quite possible :) i worked in Cisco TAC for 5 years.

Manish

Dear Mr Manish Gogna

We disabled TLS version 1.0 and 1.1 and just enabled TLS version 1.2

OK
xConfiguration SIP Advanced SipTlsVersions
*c xConfiguration SIP Advanced SipTlsVersions: "TLSv1.2"

OK

But a new vulnerability scan appears as follows:

THREAT:
TLS is capable of using a multitude of ciphers (algorithms) to create the public and private key pairs.
For example if TLSv1.0 uses either the RC4 stream cipher, or a block cipher in CBC mode.
RC4 is known to have biases and the block cipher in CBC mode is vulnerable to the POODLE attack.
TLSv1.0, if configured to use the same cipher suites as SSLv3, includes a means by which a TLS implementation can downgrade the connection to
SSL v3.0, thus weakening security.
A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a
downgrade.
This QID will be marked as a Fail for PCI as of November 1st, 2016 in accordance with the new standards. For existing implementations,
Merchants will be able to submit a PCI False Positive / Exception Request and provide proof of their Risk Mitigation and Migration Plan, which will
result in a pass for PCI up until June 30th, 2018.
Further details can be found at: NEW PCI DSS v3.2 and Migrating from SSL and Early TLS v1.1 (https://community.qualys.com/message/34120)
IMPACT:
An attacker can exploit cryptographic flaws to conduct man-in-the-middle type attacks or to decryption communications.
For example: An attacker could force a downgrade from the TLS protocol to the older SSLv3.0 protocol and exploit the POODLE vulnerability, read
secure communications or maliciously modify messages.
A POODLE-type (https://blog.qualys.com/ssllabs/2014/12/08/poodle-bites-tls) attack could also be launched directly at TLS without negotiating a
downgrade.
SOLUTION:
Disable the use of TLSv1.0 protocol in favor of a cryptographically stronger protocol such as TLSv1.2. 

  

Do you kown how to solve it?

But you have already enabled TLSv1.2,  Does this appear after enabling TLSv1.2?

Manish

We have been battling this for over 6 months.  Our Security Committee won't allow us to open up the Expressway for MRA due to the fact TLS 1.0/1.1 is available on port 8443.  We have used the above to remove TLS 1.0/1.1 on the SIP connections but as far as I can tell there is no current method to disable on the MRA portion.  It appears 8.9 was released but no mention of this feature in the release notes.

Anyone have any ideas?

Thanks,

Joe

Joe,

Admin control over the TLS version offered on HTTPS interfaces including TCP 443 and 8443 is planned for the next release targeting end of June 2017.

-Kevin

One thing to keep in mind is that if you use WebEx CMR, inbound calls will fail as they still use 1.0.

Hello,

Is this still an issue today? is TLS 1.0 still being used for Webex CMR ?

Regards,