Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2902
Views
0
Helpful
20
Replies

Cisco 5510 ssl and ssh

lawsuites
Level 1
Level 1

‎12-07-2010 11:11 AM - edited ‎03-11-2019 12:19 PM

Hello everyone, We have user that use credit card vedor services and they are charging us more because according to them we have ssl 2.0 and ssh 1 version and they are security vunerbilities.  They say if we upgrade to ssl 3.0 or ssh 2.0 then it would be fine.  How do i check which verison i have and how can i change or disable them.  Will this effect any of our network(like exhcange owa, etc).  Thanks

Labels:
0 Helpful
20 Replies 20

lawsuites
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-07-2010 12:22 PM

Without making any changes with our current configs:

When i do "sh run ssl" it comes out empty.

ASA(config)# sh run ssl
ASA(config)#

What can be the reason of this.  How does vendor test our IP address and says that we are allowing ssl 2?

Only thing i am concern about is that we have VPN connection to remote location that also connect with asa5510 and Outlook we app(that check the certifcate and it says Version 3)

0 Helpful

lawsuites
Level 1
Level 1
In response to lawsuites

‎12-07-2010 12:24 PM

Also can be just take out ssl2 and keep others like sslv3 and tlsv1.

configure mode commands/options:
  any         Enter this keyword to accept SSLv2 ClientHellos and either SSLv3
              or TLSv1 will be negotiated
  sslv3       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              SSLv3
  sslv3-only  Enter this keyword to accept ClientHellos only from a client
              using SSLV3
  tlsv1       Enter this keyword to accept SSLv2 ClientHellos and negotiate
              TLSv3
  tlsv1-only  Enter this keyword to accept ClientHellos only from a client
              using TLSV1

0 Helpful

Federico Coto Fajardo
VIP Alumni
VIP Alumni
In response to lawsuites

‎12-07-2010 01:01 PM

The reason
sh run ssl
does not show anything is because you have the default values.
To check what those settins are use
sh run all ssl

Federico.

0 Helpful

lawsuites
Level 1
Level 1
In response to Federico Coto Fajardo

‎12-07-2010 01:21 PM

thanks: i got the following:

ASA(config)# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption afsd-sha1 .........(long key)
ASA(config)#

If i change to this :

ssl server-version sslv3-only

will something go wrong with ssl encryption..or anything ..and if i need to go back to any ..should i use following command:

ssl server-version any (let me know if this is wrong)

thanks again for your time.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to lawsuites

‎12-07-2010 07:00 PM

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s8.html#wp1511377

sslv3-only

The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3.

Refer the above link and it has the command syntax.

ssl server-version any is correct syntax.

-KS

0 Helpful

lawsuites
Level 1
Level 1
In response to Kureli Sankar

‎12-07-2010 07:16 PM

Thanks, KS.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card