Currently we are using SSL3.0 of firewall for exposing one of the intranet portal to outside users. We want to enable TLSv1.1 or 1.2.
According to the output ssl server-version , we have only these options:
any, sslv3, sslv3-only, tlsv1, tlsv1-only.
our appliance is running following image :
Cisco Adaptive Security Appliance Software Version 8.2(5)
What measures have to be taken to subside this issue?
It seems that the ASA is a little behind in supporting the latest crypto. On my devices I configured "tls1-only" for the "ssl server-version" to make sure that no older SSL-versions are used. In addition to that I configured the ssl-cipers the following way:
ssl encryption dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1
But I'm pretty sure that the older 8.2(5) versions don't yet support the more modern dhe-crypto.
no, it's not even in the 9.1 (tested) or 9.2/9.3 (untested, but there are no changes documented).
It's still only TLSv1.0.
Hope is all that we can have ... ;-) Just remember that v1.2 is brand new, just six years old ... ;-) But I'm confident that sooner or later the ASA will support TLSv1.2.
TLSv1.2 is now supported starting ASA 9.3(2) release and above which is available now on CCO.
For your reference:
P.S.: Please rate the post if it helped or accept the reply as solution if answered.
But sadly, your ASA (and many of mine) will not get this version. It's only available on the -X models.