I'm wondering if anyone has found a workaround for this problem.
In order to be PCI DSS compliant, TLS 1.0 must be completely disabled on Internet-facing devices by June of this year. This is actually a bit of a misstatement because PCI scanning services such as Security Metrics are marking the presence of TLS 1.0 as a compliance failure right now.
At present, Cisco IOS and IOS XE do not have a mechanism for disabling TLS1.0 and so AnyConnect installations are failing scans. An exception request can be submitted every six months to waive the requirement, but this will no longer be an option in June.
Cisco has indicated that there is presently no way to make IOS and IOS XE compliant, but that there is an enhancement request (CSCuv24653) in the bug database to allow this. There hasn't been a lot of activity on this enhancement request, so I'm looking for other options in the event that a fix doesn't materialize.
With IOS 15.5(3)M, TLS 1.1 and 1.2 are supported for AnyConnect with the 4.x client, so abandoning TLS 1.0 is doable, but the gateway will still negotiate down to 1.0 and trigger a failure when scanned.
I thought I might be able to use something like FPM to drop TLS 1.0 packets, but FPM has been removed from IOS and I can't find a similar function.
Has anyone else been faced with this?
