01-29-2016 06:46 AM - edited 03-12-2019 12:12 AM
On my Cisco ASA 5512-X, I recently upgraded to 9.3(3)2 to obtain TLS v1.2 functionality. However, when I go under the SSL options it only says TLS v1. I tested it and that the option TLS v1 means TLS v1.0, v1.1, and v1.2.
Is there any way to only use TLS v1.2?
Solved! Go to Solution.
01-29-2016 07:43 AM
Hi,
If you want your ASA to send the tls1.2 only in SSL server hello message then you can use
ssl server-version tlsv1.2
Please refer the link below refer ssl server-version section
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
01-29-2016 07:43 AM
Hi,
If you want your ASA to send the tls1.2 only in SSL server hello message then you can use
ssl server-version tlsv1.2
Please refer the link below refer ssl server-version section
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315
Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts
01-29-2016 08:52 AM
Hi
I re-ran a test on SSL Labs, and I got two things still sticking out and I was wondering if you knew anything about the following:
I thought the TLSv1.2 would solve those issues.
01-12-2018 06:41 AM - edited 01-12-2018 06:43 AM
Forward Secrecy -Resolved with adding dhe-aes256-sha1:dhe-aes128-sha to TLSV1.2 & finding DHE-RSA-AES128-SHA that would work with ASDM and V1.2 and didn’t break the forward secrecy. This worked on 5515-X and 5516-X.
router# show run all ssl
ssl server-version tlsv1.1
ssl client-version tlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:dhe-aes256-sha1:dhe-aes128-sha:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-AES256-SHA1:DHE-AES256-SHA:DHE-RSA-AES128-SHA "
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA"
ssl dh-group group24
ssl ecdh-group group20
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide