05-07-2015 03:03 PM - edited 03-11-2019 10:54 PM
Hi All,
To fix SSLv3 and Poodle vulnerability on ASA 5520 running code 8.2(2), will the command "ssl server-version tlsv1" do the trick or do I have to upgrade the software version? If I can fix this without a software upgrade, it would b great. While the command apparently is available in 8.2.(2), i cannot find an article that confirms that this will fix the issue - A lot has been said about upgrading to 8.4, but because NAT statements change dynamically from 8.2. to 8.4 I really would like to avoid a code upgrade. Thank you
Solved! Go to Solution.
05-07-2015 04:10 PM
"ssl server-version tlsv1" will solve the vulnerability for the SSL-POODLE. But you are still vulnerable to TLS-POODLE. For that you need to upgrade to 8.2.5.55 or higher (for 8.2).
05-07-2015 04:10 PM
"ssl server-version tlsv1" will solve the vulnerability for the SSL-POODLE. But you are still vulnerable to TLS-POODLE. For that you need to upgrade to 8.2.5.55 or higher (for 8.2).
05-08-2015 07:05 AM
Thank you! I believe the "New NAT" was introduced in version 8.3, so upgrading from 8.2.2 to 8.2.5.55 should be straight forward.
With that said, according to the page below, I also have to upgrade Any-Connect clients to version 4.x and higher. At this point I wonder if Any-Connect clients have to be upgraded to 4.x before configuring the ASA with "ssl server-version tlsv1". Any thoughts?
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html#anc4
Thank you
05-08-2015 07:23 AM
With the mentioned update, the NAT-model will stay the same. I would expect the update to be quite easy.
Upgrading to AnyConnect 4.0 is not needed and won't give you any security-benifit in regard to TLS. For the higher security mentioned in the document you need AC 4 *and* an ASA that runs 9.3 or higher as with that combination TLS1.2 is supported.
The SSL-server-version can also be configured to tlsv1-only with the actual AC3.1 client.
05-08-2015 03:15 PM
Thank you for the quick response.
I will make the config change early next week.
Thank you
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide