01-03-2017 09:31 AM
What are the possible issues that could arise or that have been seen when disabling SSL and strictly going with TLS 1.2? Currently we have SSL 2 and SSL 3 set to accept connections then negotiate to TLS1.2 and any new connections set to start using TLS1.2. Below is the output from "sh ssl"
show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
Solved! Go to Solution.
01-03-2017 12:44 PM
Well, the possible issue of NOT disabling it is to have your data stolen. You really should disable it.
As long as you only support Windows 7 or better clients you should be fine. If you support lower clients, especially Windows XP, then you already have major security issues.
I would avoid using RC4 or 3DES as well.
A set of strong settings are:
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
01-03-2017 12:44 PM
Well, the possible issue of NOT disabling it is to have your data stolen. You really should disable it.
As long as you only support Windows 7 or better clients you should be fine. If you support lower clients, especially Windows XP, then you already have major security issues.
I would avoid using RC4 or 3DES as well.
A set of strong settings are:
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20
01-03-2017 12:44 PM
I would use the above settings, but you could also choose to disable the weaker ciphers with:
ssl cipher default custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
01-03-2017 02:44 PM
ok thanks Philip, I will be making the changes shortly. Thanks for your input
01-07-2017 06:46 AM
These commands will not infuence TLSv1.2 ciphers which is the most common version. For that you should add
ssl cipher tlsv1.2 ...
01-04-2017 05:16 AM
I have 1 final question, is it ok to make these changes on the fly while I have established connections? Will it drop those active connections and force a re-connect?
01-04-2017 10:41 AM
Yes, it can be done "on the fly".
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide