cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5876
Views
1
Helpful
11
Replies

TLS Version 1.1 Protocol Deprecated

taro75
Level 1
Level 1

I am using Cisco Firepower 2110 with firmware 7.0.5-72 and the SSL 1.1 is in use.

How can I disable SSL 1.1 ?

Description
The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

2 Accepted Solutions

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you scanning the management IP or an interface with SSL VPN setup? As noted in @Rob Ingram 's post, the SSL settings only apply to SSL VPN.

Changing the SSL settings for the management interface is not supported by Cisco. It can be done with a "hack" from the expert mode cli, but it's not anything Cisco endorses.

See this post and the linked post in it: https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/m-p/4843044#M289359

View solution in original post

11 Replies 11

@taro75 how are you managing the Firepower 2110, FDM or FMC? FDM is useless in regard to tweaking useful settings. You can define the TLS versions and encryption ciphers to use for remote access VPN connections in FDM. Previously, you needed to use the Firepower Threat Defense API to configure SSL settings.

Added in 7.0 - Objects > SSL Ciphers; Device > System Settings > SSL Settings.

21.png

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

Just unselect the protocols you no longer require.

 

I am using FDM and I can see the following SSL ciphers. I cannot edit the default SSL Cipher. I need to remove SSL 1.0 & 1.1

CiscoRecommendedCipher TLSv1.2 High
DefaultSSLCipher TLSv1.1, DTLSv1.0, DTLSv1.2, TLSv1.0, TLSv1.2 Medium

You can create a custom cipher list (as per the example above) and use that.

Check below

I have defined SSL Cipher -> Selected DTLSv1.2, TLSv1.2 & selected it under SSL settings. Performed a VA scan from nessus still the vulnerability of TLS 1.1 is shown. Please advise.

 

> show running-config all ssl
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2

Check below

how you mgmt FMC or FDM ?

I am using FDM not FMC. I cannot edit the default, so defined as shown below and selected the same under SSL Settings. Still there is no luck 1.1 is still enabled

 

taro75_0-1686222781225.png

 

Check below 

Marvin Rhoads
Hall of Fame
Hall of Fame

Are you scanning the management IP or an interface with SSL VPN setup? As noted in @Rob Ingram 's post, the SSL settings only apply to SSL VPN.

Changing the SSL settings for the management interface is not supported by Cisco. It can be done with a "hack" from the expert mode cli, but it's not anything Cisco endorses.

See this post and the linked post in it: https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/m-p/4843044#M289359

Review Cisco Networking for a $25 gift card