09-21-2015 01:10 PM - edited 03-11-2019 11:37 PM
I have two ASA 5525s in a HA pair. Both are running version 9.0(2). I have tried to turn off sslv3 but it doesn't seem to work. My ssl configuration
ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1
ssl trust-point star.lereta.com inside vpnlb-ip
ssl trust-point star.lereta.com inside
ssl trust-point star.lereta.com outside vpnlb-ip
ssl trust-point star.lereta.com outside
Nevertheless, the Qualys SSL Labs test (https://www.ssllabs.com/ssltest/index.html) and openssl both report that sslv3 is still enabled. Is there a way to turn it off? I am not averse to an upgrade since the the TLS implementation is reported as vulnerable to POODLE. Which version would be best?
I'd prefer to turn off https completely on the external interface off but I cannot at this time. It is only used for management and is restricted by IP so any risk is small. Unfortunately we were dinged for it on an audit.
Solved! Go to Solution.
09-21-2015 09:57 PM
Hi Stephen ,
You can upgrade to any of the fixed versions on the document below , however I would recommend you to upgrade to 9.4.1 code , since is the most stable version that supports the latest tls version (tlsv1.2) , this version came with SSLv3 disabled by default.
You can download the code on the following site
Reference document
Hope it helps
-Randy-
09-21-2015 09:57 PM
Hi Stephen ,
You can upgrade to any of the fixed versions on the document below , however I would recommend you to upgrade to 9.4.1 code , since is the most stable version that supports the latest tls version (tlsv1.2) , this version came with SSLv3 disabled by default.
You can download the code on the following site
Reference document
Hope it helps
-Randy-
09-22-2015 08:48 AM
Thank you. I will go ahead and upgrade.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: