09-23-2015 01:31 PM - edited 03-11-2019 11:38 PM
Our customer is looking for a way to disable SSLv3 on the ASA when receiving anyconnect connections from the VPN phones. It seems that there is a vulnerability related to that version of SSL and the recommendation is to use TLS. I know the ASA has the command " ssl server-version tlsv1-only" but I want to confirm that the use of that command will avoid the use of SSLv3 and that it will not affect the VPN phones connecting to the ASA. Will that work?
Solved! Go to Solution.
09-23-2015 06:21 PM
Hi,
Why are we looking for a workaround and not picking up the fix for the issue by doing the upgrade ?
It depends whether the workaround will affect the phones as if they would be negotiating using the SSL , they will not work.
Thanks and Regards,
Vibhor Amrodia
09-23-2015 06:21 PM
Hi,
Why are we looking for a workaround and not picking up the fix for the issue by doing the upgrade ?
It depends whether the workaround will affect the phones as if they would be negotiating using the SSL , they will not work.
Thanks and Regards,
Vibhor Amrodia
09-23-2015 07:19 PM
The customer needs a fix ASAP. He can try the upgrade but not now, probably in a few weeks.
If we use the following command:
ssl server-version tlsv1-only
will that avoid sslv3 and force the phones to use tlsv1?
that could be the quickest solution for the client.
09-23-2015 07:23 PM
Hi,
Yes , Check this:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315
Thanks and Regards,
Vibhor Amrodia
09-23-2015 07:43 PM
Thanks.
The phones will negotiate tls and everything should be seemless to the vpn phones, right?
I will try that command and plan an upgrade in the next couple of weeks.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide