TLSv1.1

dkajohn123 · ‎05-01-2015

I have a ASA5505. I am failing on my PCI compliancy tests because my device only supports TLSv1.0. I needs to support TLSv1.1 or 1.2 Does anyone know how I can fix this? Is there a software upgrade?

Jorge Salas · ‎05-01-2015

Unfortunately there are NO plans to support TLS1.1/1.2 but Cisco will provide a fix for those platforms, unfortunately there is no ETA at this time.

This is tracked under the bug CSCts83720.

The security appliance accepts only TLSv1 client hellos, currently there is only one ASA release that supports TLSv1.2 and it is the version 9.3.2. Before this version this was not supported at all.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

"We now support TLS version 1.2 (ASDM, Clientless SSVPN, and AnyConnect VPN) We introduced or modified the following commands: ssl client-version, ssl server-version, ssl cipher, ssl trust-point, ssl dh-group, show ssl, show ssl cipher, show vpn-sessiondb. We deprecated the following command: ssl encryption"

Unfortunately version 9.3 is only supported in the next ASA generation . Please take a look to:

"Table 2 ASA and ASDM Compatibility: Legacy Models"

http://www.cisco.com/c/en/us/td/docs/security/asa/compatibility/asamatrx.html

Karsten Iwen · ‎05-04-2015

You can upgrade to 9.1(6). That won't give you TLS1.2 as stated by Jorge, but at least you are not vulnerable to POODLE any more when you have the correct ASA-config:

ssl server-version tlsv1-only
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1