Confirmation that SSLV3 is disabled on ASA

mahesh18 · ‎03-13-2015

Hi Everyone,

I configured ASA with

sh run all ssl
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1
ssl trust-point ASDM_TrustPoint1 outside
ssl certificate-authentication fca-timeout 2

But when i run the command

sh crypto ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1 ???
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: aes256-sha1 dhe-aes256-sha1 dhe-aes128-sha1

Need to know why ASA is showing Accept connections using SSLv3?

Regards

MAhesh

Vibhor Amrodia · ‎03-13-2015

Hi,

If you like to disable SSLv3 on the ASA device , use this option:-

ssl server-version tlsv1-only

Refer:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Thanks and Regards,

Vibhor Amrodia

bh203 · ‎07-29-2019

This thread is old however since no confirmation was given by OP that this worked I'd like to hope it can be reopened. I'm trying to run this "tlsv1.2-only" command in reference to the same issue but the ASA returns with "ERROR: % Invalid Input detected at Marker" and it references the "-only".

Is this command not active in ASA version 9.7?

I also need to completely shut off TLS 1.0/SSLv3 but am still seeing the message "Accept connections using SSLv3..." even after forcing TLS 1.2 on both Server and Client versions.

Marvin Rhoads · ‎07-29-2019

I believe the output of the "show" command is in error. If we configure the settings as suggested:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 custom "DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256"
ssl dh-group14

...and then run nmap with the enum-ciphers (enumerate cryptographic cipher support of the target system https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html), we get

Starting Nmap 7.70 ( https://nmap.org ) at 2019-07-30 12:52 Malay Peninsula Standard Time 
Nmap scan report for 172.31.1.21 
Host is up (0.00s latency). 

PORT STATE SERVICE VERSION 
443/tcp open ssl/http Cisco ASA SSL VPN 
|_http-trane-info: Problem with XML parsing of /evox/about 
| ssl-enum-ciphers: 
| TLSv1.2: 
| ciphers: 
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (dh 2048) - A 
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (dh 2048) - A 
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (dh 2048) - A 
| compressors: 
| NULL 
| cipher preference: server 
|_ least strength: A

You can also confirm using openssl and attempting to force an sslv3 connection as follows:

root@eve-ng:~# openssl s_client -connect 172.31.1.21:443 -ssl3
140475002840728:error:140A90C4:SSL routines:SSL_CTX_new:null ssl method passed:ssl_lib.c:1878:
root@eve-ng:~#

NOTE: Make sure all of your clients have current AnyConnect software (4.7 or later). Otherwise older versions may fail to establish a connection with the server (ASA) when you tighten things down too much:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz41966/?rfs=iqvred

bh203 · ‎07-30-2019

Marvin,

Thank you so much for confirming what I suspected, that the SHOW result is not 100% accurate. I ran NMAP with ssl-enum-ciphers as you recommended and you were absolutely correct! I got a return showing ONLY TLS 1.2 active on the ports.

Really appreciate you solving this mystery!