Disabling SSLv3 on Cisco
I have an ASA 5515X firewall running on software version 9.1(1). Does anyone know how to properly disable SSLv3 on this device? This is in regards to addressing the POODLE vulnerability. Thank you.
you can try using v9.3(2) and only allow TLS1.2. Look at this thread:
https://supportforums.cisco.com/discussion/12393656/asa-ssl-certificate-report-ssllabscom
Similar Messages
-
Disable SSLv3 in AnyConnect on Cisco 2821
We are running anyconnect-win-3.1.06073-k9.pkg on a 2821 IOS router. Is there a way to disable SSLv3?
The release notes indicate CSCur27617 - AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux was resolved in AnyConnect 3.1.05187.
Thank youHi Rob ,
According to the bug:
All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability
On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
Hope it helps
- Randy - -
How do I disable SSLv3 in Safari (OSX & iOS)
Hi All,
So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.
Any clue on how it can be done?
FWIW:
- Disabling SSLv3 in Firefox:
Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
- Disabling SSLv3 in Chrome:
Launch Chrome using an AppleScript that contains the following
do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"
- Checking client-side vulnerability:
https://www.poodletest.com/
- Checking server-side vulnerability:
http://www.poodlebleed.com
Cheers,
AlexApple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
Yosemite 10.10
Security Update 2014-005 Mavericks
Security Update 2014-005 Mountain Lion
as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
All of them contain the following:
Secure Transport
Impact: An attacker may be able to decrypt data protected by SSL
Description: There are known attacks on the confidentiality of SSL
3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
could force the use of SSL 3.0, even when the server would support a
better TLS version, by blocking TLS 1.0 and higher connection
attempts. This issue was addressed by disabling CBC cipher suites
when TLS connection attempts fail.
CVE-ID
CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
Google Security Team
It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so. This will protect other apps, such as e-mail clients that are also normally able to use SSLv3. -
Hello everyone,
As part of January security updates, Azure has disabled SSLV3.0 support by default for Azure Cloud Services customers, effective 01/19/2015. For details, please check
Security Bulletin.
As a result, the sample code to invoke a web service will not work if SSL version 3.0 is specified. For example, R sample code has
# Accept SSL certificates issued by public Certificate Authorities
options(RCurlOptions = list(sslVersion=3L, cainfo = system.file("CurlSSL", "cacert.pem", package = "RCurl")))
You will hit errors as below
* Hostname was NOT found in DNS cache
* Trying 191.238.225.148...
* Connected to ussouthcentral.services.azureml.net (191.238.225.148) port 443 (#0)
* successfully set certificate verify locations:
* CAfile: C:/Program Files/R/R-3.1.2/library/RCurl/CurlSSL/cacert.pem
CApath: none
* Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
* Closing connection 0
Error in function (type, msg, asError = TRUE) :
Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
The mitigation is
Upgrade R client's RCurl package to the latest version (in RStudio, this can be done using Tools -> Check for package updates)
In the sample code, remove sslVersion=3L.
AzureML team is aware of this issue and an update to the sample code is scheduled soon.
Thanks,
JingOr, if you want to be explicit, set sslVersion = 1, that also works,
Thanks,
Jing -
How to disable SSLv3 and RC4 on Lync Server Access Edge?
We use Lync Server 2013.
How to disable SSLv3 and RC4 on Lync Server Access Edge?
This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't workHi dizen,
To completely disable RC4, you can create the following registry key:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
"Enabled"=dword:00000000
For more details, please check out this KB.
http://support.microsoft.com/kb/2868725
Best regards,
Eric -
How to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)
how to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)
Hi,
Add the following Java option in the StartNodemanger.sh file
Steps to disable SSLv3 protocol on Weblogic:
1. The weblogic.security.SSL.protocolVersion command-line argument lets you specify which protocol is used for SSL connections.
2. After enabling/configuring the SSL for weblogic server, append the following option to the JAVA_OPTIONS variable
-Dweblogic.security.SSL.protocolVersion=TLS1
NOTE: If you don’t specify the above property, by default it takes SSLv3.
Check the below Links for more information
http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1046921.aspx
http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#SECMG494
CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
Additional Info
Poodle Vulnerability CVE-2014-3566
CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
Hope it helps -
Disabling SSLV3 and weak ciphers - Server 2008 R2
Hi,
I have disabled SSLV3 in the registry setting using following technet article. Rebooted the servers but when i run a scan through
https://www.poodlescan.com/. it says This server supports the SSL v3 protocol.
I have tested it through other scanners also
https://technet.microsoft.com/en-us/library/security/3009008.aspx
What cipher suites disable the SSLV3 completely from window server 2008 R2 and IIS 7.5.
Is there any patch or script that could help completely secure the server.In HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server make a new DWORD value
"Enabled" and put it to 0 (zero)
You need a reboot to apply the setting.
note that if you are hosting IIS behind a loadbalancing solution, the loadbalancer often does ssl offloading. In that
case you need to reconfigure the loadbalancer.
MCP/MCSA/MCTS/MCITP -
Hi!
I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
So my issue can be solved by:
Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
For all your attention and future help, thank you so much.
Best Regards!Hi!
I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
So my issue can be solved by:
Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
For all your attention and future help, thank you so much.
Best Regards! -
Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)
Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
Now, OWA works fine, and users are able to connect via the Web.
Internally, users are also able to connect with Outlook 2010/2013.
however, users are not able to connect via Outlook from outside (Outlook anywhere)
In the event viewer you get an error:
A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
Anybody has seen this issue as well?Hi Max
could you provide the steps to turn off SSLv3 . Is it from the registry
http://support.microsoft.com/kb/187498 ?
Mat A
Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000000
Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied. -
How to disable SSLv3 on jRockit
Is there a patch release for disabling SSLv3 on jRockit JDK?
simliar to Sun JDK fix as below:
CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SEHi
JRockit is shipped with the same JDK as Java SE. The January release of JRockit, R28.3.5, is based on 6u91 and contains the same fix.
Kind Regards
/Mattis -
How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
I see the line in the ssl.conf file:
SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
but I'm not sure which ciphers are SSLV3.
Thanks,
AndyHi Andy,
For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
Thanks,
Sharmela -
Disable SSLv3 in Windows Server 2012 R2
Hi,
We have disabled SSL3 using the following article (Disable SSL 3.0 in Windows For Server Software section)
https://technet.microsoft.com/library/security/3009008
IISCrypto shows that SSL3 is disabled however a Qualsys scan shows the following against port 2381 (HP Systems Management)
SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
The target supports SSLv3, which makes it vulnerable to POODLE (Padding Oracle On Downgraded Legacy Encryption), even if it also supports more recent versions of TLS. It's subject to a downgrade attack, in which the attacker tricks the browser into connecting
with SSLv3.
I am aware that there will probably be a fix from HP to prevent this but my question is when you disable SSL3 as per the MS article should this prevent all applications from using SSL3 or could an application carry on using SSL3 which appears to be
the case here?
Thanks.Hi,
when you disable SSL3 as per the MS article should this prevent all applications from using SSL3 or could an application carry on using SSL3 which appears to be the case here
As far as I know, by disabling SSL 3.0 through registry on Windows Server can prevent any applications on this server from communicating with other ones via SSL 3.0.
In addition, please disable SSL 3.0 for both server application and client application, since a Windows Server can also act as client end during application communication.
More information for you:
How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
http://support.microsoft.com/kb/245030
Best Regards,
Amy
Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
[email protected] -
We have a vulnerability scanner that we use and it has picked up that our Voice GW has a "Cisco IPv6 Crafted Packet Vulnerability"
I entered the commands "no ipv6 unicast-routing" and "no ipv6 cef" the next scan is in a weeks time, but would these have done the trick?
Thank you
BilalQualys vulnerability scanner, the version of ios is vg224-i6k9s-mz.124-24.T5.bin
The report states:
IPv6 is the "Internet Protocol Version 6", designed by the Internet Engineering Task Force (IETF) to replace Internet Protocol Version 4 (IPv4). A vulnerability exists in the processing of IPv6 packets. Crafted packets from the local segment received on logical interfaces (that is, tunnels including 6to4 tunnels) as well as physical interfaces can trigger this vulnerability. Crafted packets cannot traverse a 6to4 tunnel and attack a box across the tunnel.
The crafted packet must be sent from a local network segment to trigger the attack. This vulnerability cannot be exploited one or more hops from the IOS device.
NOTE: This check requires that the "Clear Text Password" check box is enabled in your Authentication Preferences.
IMPACT:
Successful exploitation of the vulnerability on Cisco IOS may result in a reload of the device or execution of arbitrary code. Repeated exploitation could result in a sustained denial of service attack or execution of arbitrary code on Cisco IOS devices. Successful exploitation of the vulnerability on Cisco IOS-XR may result in a restart of the IPv6 neighbor discovery process. A restart of this process will only affect IPv6 traffic passing through the system. All other processes and traffic will be unaffected. Repeated exploitation could result in a sustained denial of service attack on IPv6 traffic.
SOLUTION:
Cisco has made free software available to address this vulnerability for all affected customers. Workaround:
In networks where IPv6 is not needed but enabled, disabling IPv6 processing on an IOS device will eliminate exposure to this vulnerability. On a router which is configured for IPv6, this must be done by issuing the command "no ipv6 enable" and "no ipv6 address" on each interface.
VG224-1(config)#no ipv6 enable
^
% Invalid input detected at '^' marker.
VG224-1(config)#int fa0/0
VG224-1(config-if)#no ipv6 enable
VG224-1(config-if)#int fa0/1
VG224-1(config-if)#no ipv6 enable
What does the note in bold mean? There's no check box in cli :-/
Thank you -
How to disable DND on Cisco IP Phone 303
Hi there!
I want that none of the user to use DND?
Can i do this from WEB-ADMINISTRATION page of IP PHone?
let me know?
Regards!Yes, DND activation can be disabled from phone's WWW UI.
-
Port Err-disable report from cisco works
Hi All,
We have network of around 400 switches.
My question is, Is there any way I can pull up the report of Err-disable for all the switches on Cisoworks ( LMS 3.2).
Any help would be appricated.
Thanks,
SamirNo, this is not possible because determining if a port is err-disable is not easily obtainable via SNMP. Campus Manager's Port Attributes report will show you the operational status of ports, but err-disable ports will be down (which is indistinguishable from a port which is unconnected).
Maybe you are looking for
-
How to sell a file using adobe muse?
Hi, I am trying to create an Ebook store using Adobe Muse. The PDF files can each be uploaded from my HDD but I want to sell them. I want to use Paypal and I know how to initialise and place it from Widget bar. But what I can not figure out is how to
-
Hi there i'v been trying to read up on the Audigy 4 Non-PRo OEm it comes without the remote. It is cheaper than the Audigy 2 zs What is the main difference between the 4 and 2 series? Will it do hardware EAX in BF2? Is this just a rebadge Audigy valu
-
Hi, We are planning to upgrade our BW system to 3.5 version. In Sand box, they already upgraded and we are in the process of testing. I see many infoobjects are still in 1.2, 2.0, 2.1, 3.0 and 3.1 versions. When I checked the content version, it says
-
Can we rename a column in a table ?
I am faced with a situation where I need to rename the column in a particular table. The version of Oracle is 8.1.7.2.0 Is there a DDL clause for renaming a column, or does it have to be done the conventional way - drop the column ( you want to renam
-
New to java (using std I/O)
Dear group, I am going to use java for practice problem solving in http://acm.uva.es/p They have give some restrictions of using java I/O which they have specified in the following link: http://online-judge.uva.es/board/viewtopic.php?t=7429 I co