cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1727
Views
0
Helpful
5
Replies
Scott Pickles
Enthusiast

Using ASDM with 'ssl server-version tlsv1-only'

If I configure my ASA with the following ASDM does NOT work:

ssl server-version tlsv1-only
ssl client-version tlsv1-only

But if I configure my ASA with the following ASDM DOES work:

ssl server-version tlsv1
ssl client-version tlsv1-only

My understanding has been that in order to protect myself from POODLE it should be tlsv1-only.  And before anyone asks, I have upgraded my production ASA.  This is for a lab configuration to support end users that may not be able to upgrade.  I don't understand why v1-only doesn't work when configured for the server since my version of Java is configured to support TLSv1.0, 1.1 and 1.2.  Debugging SSL produces:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430

5 REPLIES 5
Philip D'Ath
Advisor

I think all the 9.x trains of ASA have SSL disabled by default.  They also add TLS1.2 support.  You would be better off upgrading your firewall to resolve known serious security issues like this.  After all, it is a firewall.

As I stated in my original post:  "This is for a lab configuration to support end users that may not be able to upgrade."  I'm trying learn WHY it doesn't work in that configuration, not just go "oh well an upgrade will fix it".  Even with the upgrade, I should be able to configure 'tlsv1-only' on both the server and client side since my version of Java supports TLS v1.0, v1.1 and v1.2.

Coupe of ideas:

Doublecheck that you have the 3DES-AES license on the ASA

You may need to configure the ssl ciphers explicitly on the ASA.

You may need to add the Java Cryptography Extension (JCE) strong crypto support on your Java. (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)

If that doesn't help, I usually find the Wireshark packet decode of the failed communications more illustrative to determine where it's failing.

Marvin - 

Going to look at the JCE option.  The other things you mention are already configured:

ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1
Encryption-3DES-AES               : Enabled        perpetual

*EDIT*:  The JCE option makes no difference.  Still unable to use ASDM when specifying 'ssl server-version tlsv1-only'.

Hi Scott,

As Marvin mentioned try to take the capture using wire-shark when you connect via ASDM.

Thanks,

Shivapramod M

Content for Community-Ad