We help IT Professionals succeed at work.

Is there a way to disable SSLV3 on a cisco ASA 5505?

GoNats
GoNats asked
on
Due to sslv3 vulnerability,  i need to disable sslv3 on a Cisco ASA 5505.  Is there a way to do this?  Thanks for your help.
Comment
Watch Question

Exec Consultant
Distinguished Expert 2019
Commented:
Kindly see Cisco guidelines - http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/asdm52/user/guide/user/ssl.html

You would need to allow TLS only- ASA(config)# ssl client-version tlsv1-only
OR reference this
To disable SSLv3, do something like this:

parameter-map type ssl PARAMMAP_SSL
  cipher RSA_WITH_3DES_EDE_CBC_SHA
  cipher RSA_WITH_AES_128_CBC_SHA priority 2
  cipher RSA_WITH_AES_256_CBC_SHA priority 3
  version TLS1

ssl-proxy service SSL_PSERVICE_SERVER
  ssl advanced-options PARAMMAP_SSL

(Omitted all the other important, but not to this exact solution, stuff in the ssl-proxy config)
https://supportforums.cisco.com/discussion/12326341/sslv3-poodle-vulnerability

there is also Cisco advice in addressing the Poodle vulnerability, include tools. But note that disabling the SSLv3 protocol may impact connectivity or interoperability with some clients and servers.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle