Force TLSv1.2 or higher
(2020-01-20)
this community page
Problem
ASA still responding to, and using, protocols less than TLS1.2.AKA: SSLv2 and SSLv3 are still being used, which is bad.Solution
# config (config)# ssl server-version tlsv1.2 (config)# ssl client-version tlsv1.2 (config)# exit
Commentary
- The source page (dated 2019-03) suggests that ASDM may be unhappy if TLSv1 is turned off, however I'm running ASA 9.8(4)15 with ASDM 7.10.1 and it all appears to be working for me.
- It will fuck up AnyConnect v3.1 and below clients, if you are unfortunate enough to be still running those.
- I am pretty sure that by doing this, SSLv2 and SSLv3 are both disabled -- but you'd better research that for yourself instead of just trusting some rando on the internet. There are lots of links out there suggesting that SSLv3 can't be disabled for… some reason.
Source
Based onthis community page
no comments |
post comment
Virtual Dave Megaplex:
- Home Page
- This wiki's start page
- Send Feedback To Dave
Logged in Users: (0)
Recently Changed
Check Internet Service Database Match- Device-Local Certificate Expired
- CLI Policy Lookup
- DH Selection For IPsec VPNs
- Scan For Newly Added Disk
- nmap
- Seconds Since Epoch to Local Time
- Link Monitor
- DH group to OAKLEY_GROUP table
- Fire Eater
- start
- FortiClient Error Codes
- dhparams Generation
- SSL Certificate Bundles
- ufw
- Grow A LVM Partition
- Creating Users
- whoami
- list databases
- 2023
- 2022
- 2019
- 2018
- 2017
- 2011
- 2010
- 2008
- 2001
- 2000
- 1999
Editing: snipsnap-help, Image Macro(Et auditum est, et idcirco ego nunc simulare)
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.