Solved: TLS not fully supported in Cisco IPS 4240

etonBarojas · ‎04-12-2012

I am trying to communicate with a Cisco IPS 4240 device using SSL while having the FIPS security setting enabled on the client. This is not possible because the device does not support the TLS extensions in the Client Hello packet (RFC 5746) being sent by the client when using TLS (SSL3 and lower are not FIPS compliant). The IDM application that communicates with the device does not send these TLS extensions (im seeing this with WireShark) so it is able to connect to it.

Is there any way to make the 4240 support these TLS extensions ?

Todd Pula · ‎04-16-2012

This is related to the bugs below. The initial workaround will be included in the 7.1.5 release which is set to support the 4240 platform among others. This will allow the IPS webserver to ignore the extensions in the short-term. The long-term fix will require an update to the webserver to ensure that it is fully RFC 5746 compliant.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt18382

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx43502

Todd

View solution in original post

Todd Pula · ‎04-16-2012

This is related to the bugs below. The initial workaround will be included in the 7.1.5 release which is set to support the 4240 platform among others. This will allow the IPS webserver to ignore the extensions in the short-term. The long-term fix will require an update to the webserver to ensure that it is fully RFC 5746 compliant.

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt18382

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtx43502

Todd