cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4708
Views
4
Helpful
9
Replies

TLSv1.1 or 1.2 support on ASA 5540

Hi Team,

Currently we are using SSL3.0 of firewall for exposing one of the intranet portal to outside users. We want to enable TLSv1.1 or 1.2.

According to the output ssl server-version , we have only these options:

any, sslv3, sslv3-only, tlsv1, tlsv1-only.

our appliance is running following image :

 

Cisco Adaptive Security Appliance Software Version 8.2(5)

What measures have to be taken to subside this issue?

Regards,

HYD

 

 

 

9 Replies 9

It seems that the ASA is a little behind in supporting the latest crypto. On my devices I configured "tls1-only" for the "ssl server-version" to make sure that no older SSL-versions are used. In addition to that I configured the ssl-cipers the following way:

ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1

But I'm pretty sure that the older 8.2(5) versions don't yet support the more modern dhe-crypto.

@Karsten: Thanks for your reply. How about version 9.0(2). Does that support this feature (TLSv1.1 or 1.2)

Regards,

HYD

no, it's not even in the 9.1 (tested) or 9.2/9.3 (untested, but there are no changes documented).

It's still only TLSv1.0.

ahh Thanks a lot ..I hope this gets fixed in the future releases.

Hope is all that we can have ... ;-) Just remember that v1.2 is brand new, just six years old ... ;-) But I'm confident that sooner or later the ASA will support TLSv1.2.

Nikhil Thakur
Cisco Employee
Cisco Employee

TLSv1.2 is now supported starting ASA 9.3(2) release and above which is available now on CCO.

 

For your reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#pgfId-157788

 

HTH!

 

P.S.: Please rate the post if it helped or accept the reply as solution if answered.

 

Thanks nikhil for the update. Let me check the reference you shared :)

Hi,

Glad I was able to help.

Please mark the reply as 'Answered' and rate the post if it helped.

 

But sadly, your ASA (and many of mine) will not get this version. It's only available on the -X models.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: