Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
201
Views
0
Helpful
1
Replies

SSLV3 vulnerability in ASA OS version 9.0(4)20

sajinperikkat
Level 1
Level 1

‎08-03-2015 10:26 PM - edited ‎03-11-2019 11:22 PM

Hello Friends,

My ASA has upgraded to 9.0(4)20 version & want to understand the steps to remediate the vulnerability in this OS with the commands as I can still see the connections are using SSL versions.


Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
  inside interface: Verizon_tp1
  inside VPNLB interface: Verizon_tp1
Certificate authentication is not enabled
CN4FW7001/pri/act# show  ssl errors

 

Request to please reply on this query. 

 

Thanks, 

Sajin P

 

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎08-15-2015 02:45 PM

All commands that you need start with "ssl", but your demand doesn't make any sense nowadays ...

The most secure setup for your version is the following:

ssl server-version tlsv1-only
ssl encryption aes256-sha1 aes128-sha1

You could think about adding "3des-sha1" the the ssl encryption line if you still have to support Windows XP:

ssl encryption aes256-sha1 aes128-sha1 3des-sha1

What you don't want to use anymore today is any SSL or DES/RC4 ciphers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card