01-26-2021 01:47 AM
Hello All,
we need to disable SSLv3 on cisco ASA(v9.12(4)4). below are some out of ssl,
ASA1# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)
SSL ECDH Group: group19 (256-bit EC)
ASA1# sh run ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24
Solved! Go to Solution.
01-26-2021 08:26 AM
Even though the show command indicates it, if you run a check using an external scanning tool against your ASA you should see it reject SSL 3 connections.
You can use https://www.ssllabs.com/ssltest/analyze.html if your ASA has a resolvable FQDN for VPN.
Alternatively you can use nmap with cipher enumeration option.
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
FYI, I suggest the following configuration:
ssl server-version tlsv1.2 ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384" ssl dh-group group14
01-26-2021 02:42 AM
as per the output i do not see SSLv3 high level, are you looking to disable SSLv3 for VPN users or device access ?
you can check below :
use the ADSM, then you will find the same settings at, Configuration > Remote Access VPN > Advanced > SSL Settings;
01-26-2021 08:05 AM
Hi,
yes, we are looking to disable SSLv3 for VPN users. specially want to disappear below message
ASA1# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
01-26-2021 08:26 AM
Even though the show command indicates it, if you run a check using an external scanning tool against your ASA you should see it reject SSL 3 connections.
You can use https://www.ssllabs.com/ssltest/analyze.html if your ASA has a resolvable FQDN for VPN.
Alternatively you can use nmap with cipher enumeration option.
https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html
FYI, I suggest the following configuration:
ssl server-version tlsv1.2 ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384" ssl dh-group group14
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide