- Cisco Employee,
With the SSL inline renegotiation vulnerability, MS has published two security updates.
http://support.microsoft.com/kb/980436 - This is installed automatically with windows update.
This is explained in more detail in following security bulletin from Microsoft:
This will disable ssl re-negotiations and also add a TLS Renego extension in the client hello, which SSL servers like VPN 3000 concentrator will fail SSL handshake.
1) The SSLVPN client (not anyconnect client) will fail to connect after Security update.
It affects both connection to the ASA , the Cisco VPN 3000 concentrator, AND IOS routers.
ASA users can upgrade from SSL vpn client to Anyconnect and that should resolve this issue.
2) Webvpn clientless session from a browser will fail to a ASA headend running 8.2.1 to 22.214.171.124 and client certificate authenticate is enabled, with above security updates installed
3) Anyconnect weblaunch will also fail due clientless webvpn failing.
1) Upgrade client to Anyconnect client if using a ASA as the headend device. VPN 3000 concentrator does not support Anyconnect. IOS headend can be upgraded to 12.4(15)T or later which supports Anyconnect.
2) Per http://support.microsoft.com/kb/980436, you can change add this DWORD value to the windows registry and change it to a non-zero value to enable the the SSLVPN client (SVC 1.x) functionality:
DWORD: UseScsvForTls Value: non-zero (I used 1) Effect: Client sends SCSV for TLS protocol
This just disables using the TLS Renego extension in the SSL hello, and this is a workaround for the 3000 concentrator as it does not support the anyconnect product.
3) For the Cisco sslvpn client, remove the MS security update above. This should be done at your own risk and machine will be vulnerable as
per security bulletin.
1) For clientless and weblaunch of anyconnect not working when using client side certificates in 8.2.x versions, upgrade to latest 8.2.x version. The version should be 126.96.36.199 or later, such as 8.2.2 or 8.2.3. This has the fix for bug CSCtd00697 http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtd00697
2) For VPN 3000 concentrator and ssl vpn client, as the product is end of software maintenance, the only option is to upgrade to a headend that supports anyconnect like ASA or IOS router.