Hi,

Bekzod Fakhriddinov · ‎02-23-2016

Hi guys. I have a recommendation to switch from SSLv2 to SSLv3 , but I see there is bug at SSLv3 poodle bug. And Cisco recommend to disable sslv3 and enable tlsv1 .

on my ASA , version 9.2.3.4

"show ssl"

1 Accept connections using SSLv2 or greater and negotiate to TLSv1
2 Start connections using TLSv1 only and negotiate to TLSv1 only
3 Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1

-does line 1 and 2 mean that ASA already works with TLS instead of SSL ?

-if yes do i need still to switch to sslv3 and then do ASA(config)# ssl client-version tlsv1-only ?

How can i leave only AES 256-SHA1 encryption?

thank you

Shivapramod M · ‎02-23-2016

Hi,

Yes, the ASA supports tlsv1 in your current version. You can mention the client-version and server-version as tslv1 so that you do not hit the POODLE vulnerability.

Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Bekzod Fakhriddinov · ‎02-23-2016

Thank you Shivapramod . But from your post its not clear :

do i need still to switch to SSLv3 and then do ASA(config)# ssl client-version tlsv1-only

ssl server-version tlsv1-only

or not ?

ASA ssl to tls