Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4512
Views
5
Helpful
6
Replies

Disabling SSL

Go to solution
williamehmke1
Level 1
Level 1

‎01-03-2017 09:31 AM

What are the possible issues that could arise or that have been seen when disabling SSL and strictly going with TLS 1.2? Currently we have SSL 2 and SSL 3 set to accept connections then negotiate to TLS1.2 and any new connections set to start using TLS1.2. Below is the output from "sh ssl"

show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-03-2017 12:44 PM

Well, the possible issue of NOT disabling it is to have your data stolen.  You really should disable it.

As long as you only support Windows 7 or better clients you should be fine.  If you support lower clients, especially Windows XP, then you already have major security issues.

I would avoid using RC4 or 3DES as well.

A set of strong settings are:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20

View solution in original post

6 Replies 6

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-03-2017 12:44 PM

Well, the possible issue of NOT disabling it is to have your data stolen.  You really should disable it.

As long as you only support Windows 7 or better clients you should be fine.  If you support lower clients, especially Windows XP, then you already have major security issues.

I would avoid using RC4 or 3DES as well.

A set of strong settings are:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to Philip D'Ath

‎01-03-2017 12:44 PM

I would use the above settings, but you could also choose to disable the weaker ciphers with:

ssl cipher default custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
0 Helpful

Go to solution
williamehmke1
Level 1
Level 1
In response to Philip D'Ath

‎01-03-2017 02:44 PM

ok thanks Philip, I will be making the changes shortly. Thanks for your input

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to Philip D'Ath

‎01-07-2017 06:46 AM

These commands will not infuence TLSv1.2 ciphers which is the most common version. For that you should add

ssl cipher tlsv1.2 ...

0 Helpful

Go to solution
williamehmke1
Level 1
Level 1
In response to Philip D'Ath

‎01-04-2017 05:16 AM

I have 1 final question, is it ok to make these changes on the fly while I have established connections? Will it drop those active connections and force a re-connect?

0 Helpful

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni
In response to williamehmke1

‎01-04-2017 10:41 AM

Yes, it can be done "on the fly".

0 Helpful
Customers Also Viewed These Support Documents