For When You Can't Have The Real Thing
[ start | index | login ]
start > Cisco > ASA > 9.8 > Force TLSv1.2 or higher

Force TLSv1.2 or higher

Created by dave. Last edited by dave, 62 days ago. Viewed 37 times. #2
[diff] [history] [edit] [rdf]
labels
attachments
(2020-01-20)

Problem

ASA still responding to, and using, protocols less than TLS1.2.

AKA: SSLv2 and SSLv3 are still being used, which is bad.

Solution

# config
(config)# ssl server-version tlsv1.2
(config)# ssl client-version tlsv1.2
(config)# exit

Commentary

  • The source page (dated 2019-03) suggests that ASDM may be unhappy if TLSv1 is turned off, however I'm running ASA 9.8(4)15 with ASDM 7.10.1 and it all appears to be working for me.
  • It will fuck up AnyConnect v3.1 and below clients, if you are unfortunate enough to be still running those.
  • I am pretty sure that by doing this, SSLv2 and SSLv3 are both disabled -- but you'd better research that for yourself instead of just trusting some rando on the internet. There are lots of links out there suggesting that SSLv3 can't be disabled for… some reason.

Source

Based on >>this community page

no comments | post comment
This is a collection of techical information, much of it learned the hard way. Consider it a lab book or a /info directory. I doubt much of it will be of use to anyone else.

Useful:


snipsnap.org | Copyright 2000-2002 Matthias L. Jugel and Stephan J. Schmidt