Solved: Karsten i am using cisco ASA

Akbar ali Sultan · ‎06-20-2016

Dear All,

i don't have any knowledge about SSL and TLS kindly describe. what is the purpose of having ssl and tls in our network

how can i change config from SSL to TLS with 128 bit length

ankojha · ‎06-20-2016

Hi Akbar,

Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

let me know if you have any further query.

Rate if it helps.

Thanks,

Ankita

View solution in original post

Karsten Iwen · ‎06-20-2016

First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.

For your release, you should configure the following:

ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1

View solution in original post

ankojha · ‎06-20-2016

Hi Akbar,

Regarding the cipher settings on the ASA you can refer "ssl cipher" section in the below link

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

let me know if you have any further query.

Rate if it helps.

Thanks,

Ankita

Karsten Iwen · ‎06-20-2016

what is the purpose of having ssl and tls in our network

TLS is the successor of SSL. Today, SSL should not be enabled any more on any device as it has shown too many weaknesses.

how can i change config from SSL to TLS with 128 bit length

That all depends on the device and software-version you use.

Akbar ali Sultan · ‎06-20-2016

Karsten i am using cisco ASA 5520 and 8.3 version

can somebody tell me how can i configure TLS and remove SSL

Karsten Iwen · ‎06-20-2016

First: I would upgrade to the newest 8.4 interims-release or if possible to the newest 9.1 release. In 9.1 you also have more crypto-options to secure your firewall.

For your release, you should configure the following:

ssl server-version tlsv1-only
ssl encryption aes128-sha1 aes256-sha1

Akbar ali Sultan · ‎06-21-2016

and i didn't find ssl or tls config in firewall is it related to below configs

please tell me what is the purpose of below configs.

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto dynamic-map outside_dyn_map 20 set pfs group1
crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400

also i dont have show ssl ciphers all command and our security officer says we have weak cipher config as mentioned in screenshot

Karsten Iwen · ‎06-21-2016

The config only relates to IPsec VPNs. And on your platform, you won't get rid of the weak ciphers completely. But they can be reduced with the mentioned config. The "ssl cipher" command is not available on your device. If you need more security, you have to upgrade to an actual platform with a newer software-release. The 5520 is nearly EOL and won't get any actual crypto in the future.

Akbar ali Sultan · ‎06-21-2016

Thank you all just last question

ssl config can be done only in ASA or can be config any switch or router is it normal to config SSL on switch level actually security officer requirement to config ssl in switches as well screenshot attached for reference

how can i config in switches and

is it default config in cisco switch IOS mentioned in screenshot because i dont see any SSL config in switches

Karsten Iwen · ‎06-21-2016

If you need to enable the webserver on your switches/router, then you need to configure also these devices accordingly. For both platforms you need very new IOS releases to have the tools available to configure that.

Why we need SSL and TLS and how to config TLS if already SSL present ?