cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4512
Views
5
Helpful
6
Replies

Disabling SSL

williamehmke1
Level 1
Level 1

What are the possible issues that could arise or that have been seen when disabling SSL and strictly going with TLS 1.2? Currently we have SSL 2 and SSL 3 set to accept connections then negotiate to TLS1.2 and any new connections set to start using TLS1.2. Below is the output from "sh ssl"

show ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1

1 Accepted Solution

Accepted Solutions

Philip D'Ath
VIP Alumni
VIP Alumni

Well, the possible issue of NOT disabling it is to have your data stolen.  You really should disable it.

As long as you only support Windows 7 or better clients you should be fine.  If you support lower clients, especially Windows XP, then you already have major security issues.

I would avoid using RC4 or 3DES as well.

A set of strong settings are:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20

View solution in original post

6 Replies 6

Philip D'Ath
VIP Alumni
VIP Alumni

Well, the possible issue of NOT disabling it is to have your data stolen.  You really should disable it.

As long as you only support Windows 7 or better clients you should be fine.  If you support lower clients, especially Windows XP, then you already have major security issues.

I would avoid using RC4 or 3DES as well.

A set of strong settings are:

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher dtlsv1 fips
ssl dh-group group24
ssl ecdh-group group20

I would use the above settings, but you could also choose to disable the weaker ciphers with:

ssl cipher default custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA"

ok thanks Philip, I will be making the changes shortly. Thanks for your input

These commands will not infuence TLSv1.2 ciphers which is the most common version. For that you should add

ssl cipher tlsv1.2 ...

I have 1 final question, is it ok to make these changes on the fly while I have established connections? Will it drop those active connections and force a re-connect?

Yes, it can be done "on the fly".