Solved: Re: DTLS 1.0 vs TLS 1.0 vulnerability

fsebera · ‎03-10-2017

We run the latest version of the AnyConnect client and notice

SSL tunnel uses TLS 1.2 encapsulation

DTLS tunnel uses DTLS 1.0 encapsulation.

Research shows TLS 1.0 is not PCI complaint; where does DTLS 1.0 fit in here?

Is there a way or need to migrate from DTLS 1.0 to DTLS 1.2?

Thank you

Frank

Karsten Iwen · ‎03-10-2017

DTLS 1.0 is comparable to TLS1.1, not TLS1.0. Although DTLS 1.2 is standardized for quite some time, it's not implemented in the ASA (as of version 9.7).

View solution in original post

Karsten Iwen · ‎03-10-2017

DTLS 1.0 is comparable to TLS1.1, not TLS1.0. Although DTLS 1.2 is standardized for quite some time, it's not implemented in the ASA (as of version 9.7).

fsebera · ‎03-10-2017

Hi Karsten,

Yes I just did see a document stating DTLS 1.0 is based on TLS 1.1 standard and thus DTLS 1.0 appears to be fine. Thank you for confirming though!

I guess we will look forward to the AnyConnect client update sometime in the future.

Thanks

Frank

juergen.tress@pfizer.com · ‎11-08-2018

Cisco has enabled TLS v1.2 support for DTLS based VPN connection with the AOS 9.10 code trail. To establish DTLS based VPN connections using TLS v1.2 you need to use the Cisco AnyConnect 4.7 client which is not (yet) officially released but available as alpha (or beta) version.

robertokippins · ‎06-03-2021

Hi What's the most secure setting to use here: