Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1315
Views
10
Helpful
3
Replies

ASA 5512-X 9.3(3)2

Go to solution
steversks
Level 1
Level 1

‎01-29-2016 06:46 AM - edited ‎03-12-2019 12:12 AM

On my Cisco ASA 5512-X, I recently upgraded to 9.3(3)2 to obtain TLS v1.2 functionality. However, when I go under the SSL options it only says TLS v1. I tested it and that the option TLS v1 means TLS v1.0, v1.1, and v1.2.

Is there any way to only use TLS v1.2?

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shivapramod M
Level 1
Level 1

‎01-29-2016 07:43 AM

Hi,

If you want your ASA to send the tls1.2 only in SSL server hello message then you can use 

ssl server-version tlsv1.2

Please refer the link below refer ssl server-version section


http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

View solution in original post

3 Replies 3

Go to solution
Shivapramod M
Level 1
Level 1

‎01-29-2016 07:43 AM

Hi,

If you want your ASA to send the tls1.2 only in SSL server hello message then you can use 

ssl server-version tlsv1.2

Please refer the link below refer ssl server-version section


http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Go to solution
steversks
Level 1
Level 1
In response to Shivapramod M

‎01-29-2016 08:52 AM

Hi Shivapramod,

ssl server-version tlsv1.2 -- worked!

I re-ran a test on SSL Labs, and I got two things still sticking out and I was wondering if you knew anything about the following:

  1. There is no support for secure renegotiation
  2. The server does not support Forward Secrecy with the reference browsers

I thought the TLSv1.2 would solve those issues.

Go to solution
swindalls
Level 1
Level 1
In response to steversks

‎01-12-2018 06:41 AM - edited ‎01-12-2018 06:43 AM

Forward Secrecy -Resolved with adding dhe-aes256-sha1:dhe-aes128-sha  to TLSV1.2 & finding DHE-RSA-AES128-SHA that would work with ASDM and V1.2  and didn’t break the forward secrecy.   This worked on 5515-X and 5516-X. 

 router# show run all ssl

ssl server-version tlsv1.1
ssl client-version tlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:dhe-aes256-sha1:dhe-aes128-sha:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-AES256-SHA1:DHE-AES256-SHA:DHE-RSA-AES128-SHA "
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA"
ssl dh-group group24
ssl ecdh-group group20

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card