Buy or Renew
Buy or Renew
NOTICE: The community will be in READ-ONLY Sept. 6 – 9 to add Umbrella release notes and announcements. Learn more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2812
Views
0
Helpful
3
Replies

how to disable Accept connections using SSLv3

Go to solution
Nitin S
Level 5
Level 5

‎01-26-2021 01:47 AM

Hello All,

 

we need to disable SSLv3 on cisco ASA(v9.12(4)4). below are some out of ssl,

 

ASA1# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)
SSL ECDH Group: group19 (256-bit EC)

 

 

ASA1# sh run ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nitin S

‎01-26-2021 08:26 AM

Even though the show command indicates it, if you run a check using an external scanning tool against your ASA you should see it reject SSL 3 connections.

You can use https://www.ssllabs.com/ssltest/analyze.html if your ASA has a resolvable FQDN for VPN.

Alternatively you can use nmap with cipher enumeration option.

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

FYI, I suggest the following configuration:

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384"
ssl dh-group group14

View solution in original post

0 Helpful
3 Replies 3

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎01-26-2021 02:42 AM

as per the output i do not see SSLv3 high level, are you looking to disable SSLv3 for VPN users or device access ?

 

you can check below :

use the ADSM, then you will find the same settings at, Configuration > Remote Access VPN > Advanced > SSL Settings;

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
Nitin S
Level 5
Level 5
In response to balaji.bandi

‎01-26-2021 08:05 AM

Hi,

 

yes, we are looking to disable SSLv3 for VPN users. specially want to disappear below message 

 

ASA1# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Nitin S

‎01-26-2021 08:26 AM

Even though the show command indicates it, if you run a check using an external scanning tool against your ASA you should see it reject SSL 3 connections.

You can use https://www.ssllabs.com/ssltest/analyze.html if your ASA has a resolvable FQDN for VPN.

Alternatively you can use nmap with cipher enumeration option.

https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html

FYI, I suggest the following configuration:

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384"
ssl dh-group group14
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card