Skip to main content

Force TLSv1.2 or higher

(2020-01-20)

Problem

ASA still responding to, and using, protocols less than TLS1.2.

AKA: SSLv2 and SSLv3 are still being used, which is bad.

Solution

# config
(config)# ssl server-version tlsv1.2
(config)# ssl client-version tlsv1.2
(config)# exit

Commentary

  • The source page (dated 2019-03) suggests that ASDM may be unhappy if TLSv1 is turned off, however I'm running ASA 9.8(4)15 with ASDM 7.10.1 and it all appears to be working for me.
  • It will fuck up AnyConnect v3.1 and below clients, if you are unfortunate enough to be still running those.
  • I am pretty sure that by doing this, SSLv2 and SSLv3 are both disabled -- but you'd better research that for yourself instead of just trusting some rando on the internet. There are lots of links out there suggesting that SSLv3 can't be disabled for… some reason.

Source

Based on this community page