Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
703
Views
0
Helpful
2
Replies

Turning off SSLv3 on an ASA 5525

Go to solution
Stephen Carville
Level 1
Level 1

‎09-21-2015 01:10 PM - edited ‎03-11-2019 11:37 PM

I have two ASA 5525s in a HA pair.  Both are running version 9.0(2).  I have tried to turn off sslv3 but it doesn't seem to work.  My ssl configuration

ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1
ssl trust-point star.lereta.com inside vpnlb-ip
ssl trust-point star.lereta.com inside
ssl trust-point star.lereta.com outside vpnlb-ip
ssl trust-point star.lereta.com outside

Nevertheless, the Qualys SSL Labs test (https://www.ssllabs.com/ssltest/index.html) and openssl both report that sslv3 is still enabled.  Is there a way to turn it off?  I am not averse to an upgrade since the the TLS implementation is reported as vulnerable to POODLE.  Which version would be best?

I'd prefer to turn off https completely on the external interface off but I cannot at this time.  It is only used for management and is restricted by IP so any risk is small.  Unfortunately we were dinged for it on an audit.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
rvarelac
Level 7
Level 7

‎09-21-2015 09:57 PM

Hi Stephen , 

You can upgrade to any of the fixed versions on the document below , however I would recommend you  to upgrade to 9.4.1 code , since is the most stable version that supports the latest tls version (tlsv1.2) , this version came with SSLv3 disabled by default. 

You can download the code on the following site

https://software.cisco.com/download/release.html?mdfid=284143129&flowid=31543&softwareid=280775065&release=9.1.6%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

Reference document

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html

Hope it helps

-Randy-

View solution in original post

0 Helpful
2 Replies 2

Go to solution
rvarelac
Level 7
Level 7

‎09-21-2015 09:57 PM

Hi Stephen , 

You can upgrade to any of the fixed versions on the document below , however I would recommend you  to upgrade to 9.4.1 code , since is the most stable version that supports the latest tls version (tlsv1.2) , this version came with SSLv3 disabled by default. 

You can download the code on the following site

https://software.cisco.com/download/release.html?mdfid=284143129&flowid=31543&softwareid=280775065&release=9.1.6%20Interim&relind=AVAILABLE&rellifecycle=&reltype=latest

Reference document

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118780-technote-asa-00.html

Hope it helps

-Randy-

0 Helpful

Go to solution
Stephen Carville
Level 1
Level 1
In response to rvarelac

‎09-22-2015 08:48 AM

Thank you.  I will go ahead and upgrade.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card