ā06-20-2016 05:10 AM - edited ā03-12-2019 12:54 AM
Dear All,
i don't have any knowledge about SSL and TLS kindly describe. what is the purpose of having ssl and tls in our network
how can i change config from SSL to TLS with 128 bit length
Solved! Go to Solution.
ā06-20-2016 06:44 AM
Hi Akbar,
Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385
let me know if you have any further query.
Rate if it helps.
Thanks,
Ankita
ā06-20-2016 07:41 AM
First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.
For your release, you should configure the following:
ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1
ā06-20-2016 06:44 AM
Hi Akbar,
Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385
let me know if you have any further query.
Rate if it helps.
Thanks,
Ankita
ā06-20-2016 06:55 AM
what is the purpose of having ssl and tls in our network
TLS is the successor of SSL. Today, SSL should not be enabled any more on any device as it has shown too many weaknesses.
how can i change config from SSL to TLS with 128 bit length
That all depends on the device and software-version you use.
ā06-20-2016 07:03 AM
Karsten i am using cisco ASA 5520 and 8.3 version
can somebody tell me how can i configure TLS and remove SSL
ā06-20-2016 07:41 AM
First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.
For your release, you should configure the following:
ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1
ā06-21-2016 02:51 AM
and i didn't find ssl or tls config in firewall is it related to below configs
please tell me what is the purpose of below configs.
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
also i dont have show ssl ciphers all command and our security officer says we have weak cipher config as mentioned in screenshot
ā06-21-2016 04:42 AM
The config only relates to IPsec VPNs. And on your platform, you won't get rid of the weak ciphers completely. But they can be reduced with the mentioned config. The "ssl cipher" command is not available on your device. If you need more security, you have to upgrade to an actual platform with a newer software-release. The 5520 is nearly EOL and won't get any actual crypto in the future.
ā06-21-2016 07:01 AM
Thank you all just last question
ssl config can be done only in ASA or can be config any switch or router is it normal to config SSL on switch level actually security officer requirement to config ssl in switches as well screenshot attached for reference
how can i config in switches and
is it default config in cisco switch IOS mentioned in screenshot because i dont see any SSL config in switches
ā06-21-2016 08:40 AM
If you need to enable the webserver on your switches/router, then you need to configure also these devices accordingly. For both platforms you need very new IOS releases to have the tools available to configure that.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide