Solved: Hi,Yes , Check this:-http:/

PAUL GILBERT ARIAS · ‎09-23-2015

Our customer is looking for a way to disable SSLv3 on the ASA when receiving anyconnect connections from the VPN phones. It seems that there is a vulnerability related to that version of SSL and the recommendation is to use TLS. I know the ASA has the command " ssl server-version tlsv1-only" but I want to confirm that the use of that command will avoid the use of SSLv3 and that it will not affect the VPN phones connecting to the ASA. Will that work?

Vibhor Amrodia · ‎09-23-2015

Hi,

Why are we looking for a workaround and not picking up the fix for the issue by doing the upgrade ?

It depends whether the workaround will affect the phones as if they would be negotiating using the SSL , they will not work.

Thanks and Regards,

Vibhor Amrodia

View solution in original post

Vibhor Amrodia · ‎09-23-2015

Hi,

Why are we looking for a workaround and not picking up the fix for the issue by doing the upgrade ?

It depends whether the workaround will affect the phones as if they would be negotiating using the SSL , they will not work.

Thanks and Regards,

Vibhor Amrodia

PAUL GILBERT ARIAS · ‎09-23-2015

The customer needs a fix ASAP. He can try the upgrade but not now, probably in a few weeks.

If we use the following command:

ssl server-version tlsv1-only

will that avoid sslv3 and force the phones to use tlsv1?

that could be the quickest solution for the client.

Vibhor Amrodia · ‎09-23-2015

Hi,

Yes , Check this:-

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1562315

Thanks and Regards,

Vibhor Amrodia

PAUL GILBERT ARIAS · ‎09-23-2015

Thanks.

The phones will negotiate tls and everything should be seemless to the vpn phones, right?

I will try that command and plan an upgrade in the next couple of weeks.

Disable SSLv3 on the ASA (poodle vulnerability)