Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
New Member

Why we need SSL and TLS and how to config TLS if already SSL present ?

Dear All,

i don't have any knowledge about SSL and TLS kindly describe. what is the purpose of having ssl and tls in our network

how can i change config from SSL to TLS with 128 bit length

Everyone's tags (1)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

Hi Akbar,

Hi Akbar,

Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

let me know if you have any further query.

Rate if it helps.

Thanks,

Ankita

VIP Purple

First: I would upgrade to the

First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.

For your release, you should configure the following:

ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
8 REPLIES
Silver

Hi Akbar,

Hi Akbar,

Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

let me know if you have any further query.

Rate if it helps.

Thanks,

Ankita

VIP Purple

what is the purpose of having

what is the purpose of having ssl and tls in our network

TLS is the successor of SSL. Today, SSL should not be enabled any more on any device as it has shown too many weaknesses.

how can i change config from SSL to TLS with 128 bit length

That all depends on the device and software-version you use.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Karsten i am using cisco ASA

Karsten i am using cisco ASA 5520 and 8.3 version 

can somebody tell me how can i configure TLS and remove SSL 

VIP Purple

First: I would upgrade to the

First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.

For your release, you should configure the following:

ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

and i didn't find ssl or tls

and i didn't find ssl or tls config in firewall is it related to below configs

please tell me what is the purpose of below configs.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

also i dont have show ssl ciphers all command and our security officer says we have weak cipher config as mentioned in screenshot

VIP Purple

The config only relates to

The config only relates to IPsec VPNs. And on your platform, you won't get rid of the weak ciphers completely. But they can be reduced with the mentioned config. The "ssl cipher" command is not available on your device. If you need more security, you have to upgrade to an actual platform with a newer software-release. The 5520 is nearly EOL and won't get any actual crypto in the future.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Thank you all just last

Thank you all just last question 

ssl config can be done only in ASA or can be config any switch or router is it normal to config SSL on switch level actually security officer requirement to config ssl in switches as well screenshot attached for reference 

how can i config in switches and

is it default config in cisco switch IOS mentioned in screenshot because i dont see any SSL config in switches

VIP Purple

If you need to enable the

If you need to enable the webserver on your switches/router, then you need to configure also these devices accordingly. For both platforms you need very new IOS releases to have the tools available to configure that.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
145
Views
0
Helpful
8
Replies
CreatePlease to create content