cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1719
Views
0
Helpful
9
Replies

SA520 SSL 3.0 or TLS 1.0 ?

dluff4343
Beginner
Beginner

Hello.     I have a customer with an SA520w.     It is functioning properly however due to the customer needing to pass PCI compliance,  the outside vulnerability scan  is failing due to SSL 2.0 as well as using  weak and anonymous SSL  ciphers. 

The recommendation is to user the newer  SSL 3.0 or TLS 1.0.     The issue is I cannot find how to enable or upgrade the device to support SSL 3.0 or TLS1.0    I cannot even find anywhere within the device that shows it is using SSL 2.0 which I believe it is.

Will the SA520 support SSL 3.0 or TLS 1.0   ? 

Running firmware 1.1.42

any info is appreiated

thanks

9 Replies 9

MR3 firmware (2.1.18) that will come out tomorrow will  address the SSL 3.0 issue.

SSL 3.0 was not supported in the earlier firmware releases, but is supported in the release that comes out tomorrow. Tomorrow’s firmware also addresses a number of other bugs, and provides support for Cisco IPSec VPN Client… so lots of good reasons to upgrade.

Hope this helps.

Mario,  thanks much for the reply.  I will try that new firmware.   What did you say was the release date again ?

Also what do you know about the new firmware and having stronger SSL ciphers.  In addition to the PCI scan failing SSL 3.0  it failed due to weak and anonymous SSL ciphers,.   Is the underlying fact of SSL 3.0 is having strong ciphers  ?

thanks again.

Derek,

The software is due out today. Check out the release notes for more details on what is included. Let me know if that gives you the information you need.

thanks again.   as of now,  I still only see 1.1.65 as the most up to date firmware availble for the SA520W

I'm using this link:

http://www.cisco.com/cisco/software/release.html?mdfid=282571096&catid=268438162&softwareid=282728525

unless I should be going else where for it.

I'll keep checking for  2.1.18  as you suggested

thanks

Hi Derek,

In order to get a version above 1.1.65, you have to request a Release Candidate by sending an email to mailer list:

SA 500 Security Appliance MR3 Release Candidate Firmware Now Available

A Release Candidate  build for the SA 500 is now available for Cisco customers

and partners to evaluate. If you are an interested customer/partner, you can obtain

an early build of the firmware by sending an email to: sa500-mr3@cisco.com with

your Cisco.com User ID in the subject line of the email. You will then receive an

email notification with instructions on how to download the firmware.

Do note that when the official MR3 release becomes available, you can download it directly from CCO at the link you provided.

Cheers,

Julio

I have downloaded firmware 2.1.18  and plan to upgrade the SA520w next week. 

I  have read through the release notes, but it does not mention addressing the SSL 3.0 issue.   I am hopefull that the external PCI vulnerability scan will pass with the new firmware on.  

If the PCI scan still fails  SSL3.0 and or still has weak or anonymous SSL ciphers,   is there any recommendations for this appliance to be able to pass SSL3.0. 

Thanks

I have upgraded to the 2.1.18  firmware,    however the PCI scan still fails due to   medium strength SSL Ciphers.   ( see the exact scan detail below)

I need to find out if the device is configurable for higher strength ciphers, or is it still a limitation of the device even with the new  2.1.18 firmware  ??

Any additional info on getting this device to pass PCI compliance is appreciated.

PCI  scan result:   TCP 443 https 4      (the 4 is a fail,  needs to be 3 or lower to pass this piece of the scan)

S ynops is : The remote service supports the use of medium s trength S S L ciphers .
Description : The remote host supports the us e of S S L ciphers that offer medium
s trength encryption, which we currently regard as those with key lengths at leas t 56
bits and les s than 112 bits . Note: This is considerably eas ier to exploit if the attacker
is on the same phys ical network. Solution: Reconfigure the affected application if
possible to avoid us e of medium s trength ciphers . Risk Factor: Medium / CVS S Bas e
Score : 4.3 (CVS S 2#AV:N/AC:M/Au:N/C:P/I:N/A:N)

Derek can you please ask the customer which PCI test they are using... we'd like to make it part of our test process going forward.

Yes,  they are using Secuity Metrics for their outside PCI scan.   

At this point I am not sure if there is any way to get the SA520 to pass the medium strength cipher issue.   I don't see it as anything configurable within the device.

I was hoping to get them to pass PCI with the SA520,  but will most  likely have to go to something different

thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers