Disabling SSLv3 on Cisco

Similar Messages

• Disable SSLv3 in AnyConnect on Cisco 2821

  We are running anyconnect-win-3.1.06073-k9.pkg on a 2821 IOS router.  Is there a way to disable SSLv3?
  The release notes indicate CSCur27617 - AnyConnect vulnerable to POODLE attack (CVE-2014-3566) Win/Mac/Linux was resolved in AnyConnect 3.1.05187.
  Thank you

  Hi Rob , 
  According to the bug: 
  All versions of desktop AnyConnect for Mac OS X and Linux prior to 3.1.00495 are vulnerable , so Anyconnect 3.1.06.073 is safe from POODLE vulnerability 
  On the Anyconnect you can disable the SSL using Ikev2 instead of the SSL protocols , however as the bug mention , the client creates a paralel ssl tunnel to get updates and profile from the router.
  If you're asking to disable SSLv3 on the router , unfortunately there is not code yet , the workaround is to disable the webvpn or upgrade the VPN client.
  As well here is the officil advisory for the POODLE vulnerbility on Cisco Products.
  http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20141015-poodle
  Hope it helps
  - Randy - 

• How do I disable SSLv3 in Safari (OSX & iOS)

  Hi All,
  So following this morning's Google announcement on the SSLv3 vulnerability, I tried disabling it on the client side on my various systems and browser. On OSX, I managed to do it for Firefox and Chrome but not for Safari. On iOS I didn't manage at all.
  Any clue on how it can be done?
  FWIW:
  - Disabling SSLv3 in Firefox:
    Open about:config, find security.tls.version.min and set the value to 1. Then restart your browser to drop any open SSL connections.
  - Disabling SSLv3 in Chrome:
    Launch Chrome using an AppleScript that contains the following
    do shell script "open -a /Applications/Google\\ Chrome.app --args --ssl-version-min=tls1"
  - Checking client-side vulnerability:
     https://www.poodletest.com/
  - Checking server-side vulnerability:
     http://www.poodlebleed.com
  Cheers,
  Alex

  Apple posted the following updates that include a fix for the SSLv3 "Poodle" issue:
  Yosemite 10.10
  Security Update 2014-005 Mavericks
  Security Update 2014-005 Mountain Lion
  as well as updates for all currently supported Servers (4.0, 3.2.2, 2.2.5)
  All of them contain the following:
  Secure Transport
  Impact:  An attacker may be able to decrypt data protected by SSL
  Description:  There are known attacks on the confidentiality of SSL
  3.0 when a cipher suite uses a block cipher in CBC mode. An attacker
  could force the use of SSL 3.0, even when the server would support a
  better TLS version, by blocking TLS 1.0 and higher connection
  attempts. This issue was addressed by disabling CBC cipher suites
  when TLS connection attempts fail.
  CVE-ID
  CVE-2014-3566 : Bodo Moeller, Thai Duong, and Krzysztof Kotowicz of
  Google Security Team
  It would appear that your browsers will show "maybe vulnerable" on the poodletest site, so my guess is that OS X will prevent all apps from using SSLv3 even if they would otherwise be capable of doing so.  This will protect other apps, such as e-mail clients that are also normally able to use SSLv3.

• Remove "sslVersion=3L," from Sample R Code Invoking a Web Service, as a Result of Azure Disabling SSLV3 Support

  Hello everyone,
  As part of January security updates, Azure has disabled SSLV3.0 support by default for Azure Cloud Services customers, effective 01/19/2015. For details, please check
  Security Bulletin.
  As a result, the sample code to invoke a web service will not work if SSL version 3.0 is specified. For example, R sample code has
  # Accept SSL certificates issued by public Certificate Authorities
  options(RCurlOptions = list(sslVersion=3L, cainfo = system.file("CurlSSL", "cacert.pem", package = "RCurl")))
  You will hit errors as below
  * Hostname was NOT found in DNS cache
  *   Trying 191.238.225.148...
  * Connected to ussouthcentral.services.azureml.net (191.238.225.148) port 443 (#0)
  * successfully set certificate verify locations:
  *   CAfile: C:/Program Files/R/R-3.1.2/library/RCurl/CurlSSL/cacert.pem
    CApath: none
  * Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
  * Closing connection 0
  Error in function (type, msg, asError = TRUE)  :
    Unknown SSL protocol error in connection to ussouthcentral.services.azureml.net:443
  The mitigation is
  Upgrade R client's RCurl package to the latest version (in RStudio, this can be done using Tools -> Check for package updates)
  In the sample code, remove sslVersion=3L.
  AzureML team is aware of this issue and an update to the sample code is scheduled soon.
  Thanks,
  Jing

  Or, if you want to be explicit, set sslVersion = 1, that also works,
  Thanks,
  Jing

• How to disable SSLv3 and RC4 on Lync Server Access Edge?

  We use Lync Server 2013.
  How to disable SSLv3 and RC4 on Lync Server Access Edge?
  This solution https://technet.microsoft.com/en-us/library/security/3009008.aspx doesn't work

  Hi dizen,
  To completely disable RC4, you can create the following registry key:
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 128/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 40/128]
  "Enabled"=dword:00000000
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\RC4 56/128]
  "Enabled"=dword:00000000
  For more details, please check out this KB.
  http://support.microsoft.com/kb/2868725
  Best regards,
  Eric

• How to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)

  how to disable SSLv3 on SSL enabled NodeManager (wls12.1.1 with jRockit)

  Hi,
  Add the following Java option in the StartNodemanger.sh file
  Steps to disable SSLv3 protocol on Weblogic:
  1.  The weblogic.security.SSL.protocolVersion command-line argument lets you specify which protocol is used for SSL connections.
  2.  After enabling/configuring the SSL for weblogic server, append the following option to the JAVA_OPTIONS variable
          -Dweblogic.security.SSL.protocolVersion=TLS1
       NOTE: If you don’t specify the above property, by default it takes SSLv3.
  Check the below Links for more information
  http://www.ca.com/us/support/ca-support-online/product-content/knowledgebase-articles/tec1046921.aspx
  http://docs.oracle.com/cd/E17904_01/web.1111/e13707/ssl.htm#SECMG494
  CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
  Additional Info
  Poodle Vulnerability CVE-2014-3566
  CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE
  Hope it helps

• Disabling SSLV3 and weak ciphers - Server 2008 R2

  Hi,
  I have disabled SSLV3 in the registry setting using following technet article. Rebooted the servers but when i run a scan through 
  https://www.poodlescan.com/. it says This server supports the SSL v3 protocol.
  I have tested it through other scanners also
  https://technet.microsoft.com/en-us/library/security/3009008.aspx
  What cipher suites disable the SSLV3 completely from window server 2008 R2 and IIS 7.5.
  Is there any patch or script that could help completely secure the server.

  In HKey_Local_Machine\System\CurrentControlSet\Control\SecurityProviders \SCHANNEL\Protocols\SSL 3.0\Server make a new DWORD value
  "Enabled" and put it to 0  (zero)
  You need a reboot to apply the setting.
  note that if you are hosting IIS behind a loadbalancing solution, the loadbalancer often does ssl offloading. In that
  case you need to reconfigure the loadbalancer.
  MCP/MCSA/MCTS/MCITP

• Disable SSLv3 on Switch 3650

  Hi!
  I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
  Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
  So my issue can be solved by:
  Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
  For all your attention and future help, thank you so much.
  Best Regards!

  Hi!
  I need to disable SSLv3 on my switches 3650 so my customer can access the wireless gui through https (with firefox/chrome).
  Concern this, my customer really doesn't need to use https; but since I added the 3650 switches to Prime Infrastructure, it enables HTTPS and disable HTTP on every single switch.
  So my issue can be solved by:
  Disabling SSLv3 or Disabling the feature in Prime Inf. that enables https on every switch after syncing.
  For all your attention and future help, thank you so much.
  Best Regards!

• Disable SSLv3 on Exchange 2010 server (Poodle Vulnerability)

  Following the recommendation to mitigate the Poodle vulnerability, we tried disabling SSLv3 and making sure that users had TLS 1.1 and 1.2 enabled on their browsers.
  We used IIScrypt to turn off SSLv3 (v2 was already disabled from before).
  Now, OWA works fine, and users are able to connect via the Web.
  Internally, users are also able to connect with Outlook 2010/2013.
  however, users are not able to connect via Outlook from outside (Outlook anywhere)
  In the event viewer you get an error:
  A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 70. The Windows SChannel error state is 105.
  I opened a ticket with Microsoft but the lady working on the case wanted us to re-enable SSLv2 which is out of the question.
  Anybody has seen this issue as well?

  Hi Max
  could you provide the steps to turn off SSLv3 . Is it from the registry
  http://support.microsoft.com/kb/187498 ?
  Mat A
  Yes. Copy and paste this into a text file and save as a .reg file, then double click on the file to add to the registry of the server
  Windows Registry Editor Version 5.00
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
  "DisabledByDefault"=dword:00000001
  [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
  "Enabled"=dword:00000000
  Twitter!: Please Note: My Posts are provided “AS IS” without warranty of any kind, either expressed or implied.

• How to disable SSLv3 on jRockit

  Is there a patch release for disabling SSLv3 on jRockit JDK?
  simliar to Sun JDK fix as below:
  CVE-2014-3566 - Instructions to Mitigate the SSL v3.0 Vulnerability (aka "Poodle Attack") in Java SE

  Hi
  JRockit is shipped with the same JDK as Java SE. The January release of JRockit, R28.3.5, is based on 6u91 and contains the same fix.
  Kind Regards
  /Mattis

• How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?

  How do I disable SSLV3 in Oracle HTTP SERVER to prevent POODLE attacks?
  I see the line in the ssl.conf file:
  SSLCipherSuite SSL_RSA_WITH_RC4_128_MD5:SSL_RSA_WITH_RC4_128_SHA:SSL_RSA_WITH_3DES_EDE_CBC_SHA:SSL_RSA_WITH_DES_CBC_SHA:SSL_RSA_EXPORT_WITH_RC4_40_MD5:SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
  but I'm not sure which ciphers are SSLV3.
  Thanks,
  Andy

  Hi Andy,
  For this, we highly recommend you to open a SR with Oracle support and Security team would be assisting you on how to get this fixed.
  Thanks,
  Sharmela

• Disable SSLv3 in Windows Server 2012 R2

  Hi,
  We have disabled SSL3 using the following article (Disable SSL 3.0 in Windows For Server Software section)
  https://technet.microsoft.com/library/security/3009008
  IISCrypto shows that SSL3 is disabled however a Qualsys scan shows the following against port 2381 (HP Systems Management)
  SSLv3 Padding Oracle Attack Information Disclosure Vulnerability (POODLE)
  The target supports SSLv3, which makes it vulnerable to POODLE (Padding Oracle On Downgraded Legacy Encryption), even if it also supports more recent versions of TLS. It's subject to a downgrade attack, in which the attacker tricks the browser into connecting
  with SSLv3.
  I am aware that there will probably be a fix from HP to prevent this but my question is when you disable SSL3 as per the MS article should this prevent all applications from using SSL3 or could an application carry on using SSL3 which appears to be
  the case here?
  Thanks.

  Hi,
  when you disable SSL3 as per the MS article should this prevent all applications from using SSL3 or could an application carry on using SSL3 which appears to be the case here
  As far as I know, by disabling SSL 3.0 through registry on Windows Server can prevent any applications on this server from communicating with other ones via SSL 3.0.
  In addition, please disable SSL 3.0 for both server application and client application, since a Windows Server can also act as client end during application communication.
  More information for you:
  How to restrict the use of certain cryptographic algorithms and protocols in Schannel.dll
  http://support.microsoft.com/kb/245030
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Disable ipv6 on Cisco VG224

  We have a vulnerability scanner that we use and it has picked up that our Voice GW has a "Cisco IPv6 Crafted Packet Vulnerability"
  I entered the commands "no ipv6 unicast-routing" and "no ipv6 cef" the next scan is in a weeks time, but would these have done the trick?
  Thank you
  Bilal

  Qualys vulnerability scanner, the version of ios is vg224-i6k9s-mz.124-24.T5.bin
  The report states:
  IPv6 is the "Internet Protocol Version 6", designed by the Internet  Engineering Task Force (IETF) to replace Internet Protocol Version 4  (IPv4). A vulnerability exists in the processing of IPv6 packets. Crafted  packets from the local segment received on logical interfaces (that is,  tunnels including 6to4 tunnels) as well as physical interfaces can  trigger this vulnerability. Crafted packets cannot traverse a 6to4  tunnel and attack a box across the tunnel.
  The crafted packet must be sent from a local network segment to  trigger the attack. This vulnerability cannot be exploited one or more  hops from the IOS device.
  NOTE: This check requires that the "Clear Text Password" check box is enabled in your Authentication Preferences.
  IMPACT:
  Successful exploitation of the vulnerability on Cisco IOS may  result in a reload of the device or execution of arbitrary code.  Repeated exploitation could result in a sustained denial of service  attack or execution of arbitrary code on Cisco IOS devices. Successful exploitation of the vulnerability on Cisco IOS-XR may  result in a restart of the IPv6 neighbor discovery process. A restart of  this process will only affect IPv6 traffic passing through the system.  All other processes and traffic will be unaffected. Repeated  exploitation could result in a sustained denial of service attack on  IPv6 traffic.
  SOLUTION:
  Cisco has made free software available to address this vulnerability for all affected customers. Workaround:
  In networks where IPv6 is not needed but enabled, disabling IPv6  processing on an IOS device will eliminate exposure to this  vulnerability. On a router which is configured for IPv6, this must be  done by issuing the command "no ipv6 enable" and "no ipv6 address" on  each interface.
  VG224-1(config)#no ipv6 enable
                                                 ^
  % Invalid input detected at '^' marker.
  VG224-1(config)#int fa0/0
  VG224-1(config-if)#no ipv6 enable
  VG224-1(config-if)#int fa0/1    
  VG224-1(config-if)#no ipv6 enable
  What does the note in bold mean? There's no check box in cli :-/
  Thank you

• How to disable DND on Cisco IP Phone 303

  Hi there!
  I want that none of the user to use DND?
  Can i do this from WEB-ADMINISTRATION page of IP PHone?
  let me know?
  Regards!

  Yes, DND activation can be disabled from phone's WWW UI.

• Port Err-disable report from cisco works

  Hi All,
  We have network of around 400 switches.
  My question is, Is there any way I can pull up the report of Err-disable for all the switches on Cisoworks ( LMS 3.2).
  Any help would be appricated.
  Thanks,
  Samir

  No, this is not possible because determining if a port is err-disable is not easily obtainable via SNMP.  Campus Manager's Port Attributes report will show you the operational status of ports, but err-disable ports will be down (which is indistinguishable from a port which is unconnected).