Solved: TLS Version 1.1 Protocol Deprecated

taro75 · ‎06-08-2023

I am using Cisco Firepower 2110 with firmware 7.0.5-72 and the SSL 1.1 is in use.

How can I disable SSL 1.1 ?

Description
The remote service accepts connections encrypted using TLS 1.1. TLS 1.1 lacks support for current and recommended cipher suites. Ciphers that support encryption before MAC computation, and authenticated encryption modes such as GCM cannot be used with TLS 1.1

As of March 31, 2020, Endpoints that are not enabled for TLS 1.2 and higher will no longer function properly with major web browsers and major vendors.
Solution
Enable support for TLS 1.2 and/or 1.3, and disable support for TLS 1.1.

Marvin Rhoads · ‎06-08-2023

Are you scanning the management IP or an interface with SSL VPN setup? As noted in @Rob Ingram 's post, the SSL settings only apply to SSL VPN.

Changing the SSL settings for the management interface is not supported by Cisco. It can be done with a "hack" from the expert mode cli, but it's not anything Cisco endorses.

See this post and the linked post in it: https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/m-p/4843044#M289359

View solution in original post

MHM Cisco World · ‎06-08-2023

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs23509

This bug and ver. 7.0 fixed it.

View solution in original post

Rob Ingram · ‎06-08-2023

@taro75 how are you managing the Firepower 2110, FDM or FMC? FDM is useless in regard to tweaking useful settings. You can define the TLS versions and encryption ciphers to use for remote access VPN connections in FDM. Previously, you needed to use the Firepower Threat Defense API to configure SSL settings.

Added in 7.0 - Objects > SSL Ciphers; Device > System Settings > SSL Settings.

https://www.cisco.com/c/en/us/td/docs/security/firepower/70/relnotes/firepower-release-notes-700/features.html

Just unselect the protocols you no longer require.

taro75 · ‎06-08-2023

I am using FDM and I can see the following SSL ciphers. I cannot edit the default SSL Cipher. I need to remove SSL 1.0 & 1.1

CiscoRecommendedCipher TLSv1.2 High
DefaultSSLCipher TLSv1.1, DTLSv1.0, DTLSv1.2, TLSv1.0, TLSv1.2 Medium

Rob Ingram · ‎06-08-2023

You can create a custom cipher list (as per the example above) and use that.

MHM Cisco World · ‎06-08-2023

Check below

taro75 · ‎06-08-2023

I have defined SSL Cipher -> Selected DTLSv1.2, TLSv1.2 & selected it under SSL settings. Performed a VA scan from nessus still the vulnerability of TLS 1.1 is shown. Please advise.

> show running-config all ssl
ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl certificate-authentication fca-timeout 2

MHM Cisco World · ‎06-08-2023

Check below

MHM Cisco World · ‎06-08-2023

how you mgmt FMC or FDM ?

taro75 · ‎06-08-2023

I am using FDM not FMC. I cannot edit the default, so defined as shown below and selected the same under SSL Settings. Still there is no luck 1.1 is still enabled

MHM Cisco World · ‎06-08-2023

Check below

Marvin Rhoads · ‎06-08-2023

Are you scanning the management IP or an interface with SSL VPN setup? As noted in @Rob Ingram 's post, the SSL settings only apply to SSL VPN.

Changing the SSL settings for the management interface is not supported by Cisco. It can be done with a "hack" from the expert mode cli, but it's not anything Cisco endorses.

See this post and the linked post in it: https://community.cisco.com/t5/vpn/how-to-disable-tls-v1-0-v1-1-on-ftd-using-the-fdm-or-cli/m-p/4843044#M289359

MHM Cisco World · ‎06-08-2023

https://quickview.cloudapps.cisco.com/quickview/bug/CSCvs23509

This bug and ver. 7.0 fixed it.