Force TLSv1.2 or higher
(2020-01-20)
Problem
ASA still responding to, and using, protocols less than TLS1.2.
AKA: SSLv2 and SSLv3 are still being used, which is bad.
Solution
# config
(config)# ssl server-version tlsv1.2
(config)# ssl client-version tlsv1.2
(config)# exit
Commentary
- The source page (dated 2019-03) suggests that ASDM may be unhappy if TLSv1 is turned off, however I'm running ASA 9.8(4)15 with ASDM 7.10.1 and it all appears to be working for me.
- It will fuck up AnyConnect v3.1 and below clients, if you are unfortunate enough to be still running those.
- I am pretty sure that by doing this, SSLv2 and SSLv3 are both disabled -- but you'd better research that for yourself instead of just trusting some rando on the internet. There are lots of links out there suggesting that SSLv3 can't be disabled for… some reason.
Source
Based on this community page