Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3187
Views
0
Helpful
5
Replies

Using ASDM with 'ssl server-version tlsv1-only'

Scott Pickles
Level 4
Level 4

‎12-21-2015 10:13 AM - edited ‎03-12-2019 12:03 AM

If I configure my ASA with the following ASDM does NOT work:

ssl server-version tlsv1-only
ssl client-version tlsv1-only

But if I configure my ASA with the following ASDM DOES work:

ssl server-version tlsv1
ssl client-version tlsv1-only

My understanding has been that in order to protect myself from POODLE it should be tlsv1-only.  And before anyone asks, I have upgraded my production ASA.  This is for a lab configuration to support end users that may not be able to upgrade.  I don't understand why v1-only doesn't work when configured for the server since my version of Java is configured to support TLSv1.0, 1.1 and 1.2.  Debugging SSL produces:

error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430
error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number@s3_pkt.c:430

Labels:
0 Helpful
5 Replies 5

Philip D'Ath
VIP Alumni
VIP Alumni

‎12-21-2015 04:42 PM

I think all the 9.x trains of ASA have SSL disabled by default.  They also add TLS1.2 support.  You would be better off upgrading your firewall to resolve known serious security issues like this.  After all, it is a firewall.

0 Helpful

Scott Pickles
Level 4
Level 4
In response to Philip D'Ath

‎12-22-2015 12:00 PM

As I stated in my original post:  "This is for a lab configuration to support end users that may not be able to upgrade."  I'm trying learn WHY it doesn't work in that configuration, not just go "oh well an upgrade will fix it".  Even with the upgrade, I should be able to configure 'tlsv1-only' on both the server and client side since my version of Java supports TLS v1.0, v1.1 and v1.2.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Scott Pickles

‎12-22-2015 01:39 PM

Coupe of ideas:

Doublecheck that you have the 3DES-AES license on the ASA

You may need to configure the ssl ciphers explicitly on the ASA.

You may need to add the Java Cryptography Extension (JCE) strong crypto support on your Java. (http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html)

If that doesn't help, I usually find the Wireshark packet decode of the failed communications more illustrative to determine where it's failing.

0 Helpful

Scott Pickles
Level 4
Level 4
In response to Marvin Rhoads

‎12-23-2015 06:40 AM

Marvin - 

Going to look at the JCE option.  The other things you mention are already configured:

ssl server-version tlsv1
ssl client-version tlsv1-only
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1
Encryption-3DES-AES               : Enabled        perpetual

*EDIT*:  The JCE option makes no difference.  Still unable to use ASDM when specifying 'ssl server-version tlsv1-only'.

0 Helpful

Shivapramod M
Level 1
Level 1
In response to Scott Pickles

‎12-23-2015 06:29 PM

Hi Scott,

As Marvin mentioned try to take the capture using wire-shark when you connect via ASDM.

Thanks,

Shivapramod M

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card