Guest

Preview Tool

Cisco Bug: CSCvh99257 - WSA - AnyConnect MUS will use SSLv3 for MUS connection to ASA

Last Modified

Apr 08, 2018

Products (1)

  • Cisco Web Security Appliance

Known Affected Releases

10.1.1-235

Description (partial)

Symptom:
MUS will use SSLv3 for MUS connection to ASA despite SSLv3 enabled

-MUS connection may fail if ASA has SSLv3 disabled

Conditions:
-SSLv3 disabled globally 

**see below settings**

PvWSA.csts-rtp.lab> sslconfig

Disabling SSLv3 is recommended for best security.

Note that the SSL/TLS service on remote servers may require that the selected TLS versions be sequential. So to
avoid communications errors, always select a contiguous set of versions for each service. For example, do not
enable TLS 1.0 and 1.2, while leaving TLS 1.1 disabled.

Choose the operation you want to perform:
- VERSIONS - Enable or disable SSL/TLS versions
- COMPRESS - Enable or disable TLS compression for Proxy Service
- CIPHERS - Set ciphers for services in WSA
- FALLBACK - Enable or disable SSL/TLS fallback option
- ECDHE - Enable or disable ECDHE Authentication.
[]> versions

SSL/TLS versions may be enabled or disabled for the following services:

        LDAPS - Secure LDAP Services (including Authentication, External Authentication, SaaS SSO, Secure
Mobility)
        Updater - Update Service
        WebUI - Appliance Management Web User Interface
        RADSEC - Secure RADSEC Services (including Authentication, External Authentication)
        SICAP - Secure ICAP Service
        Proxy - Proxy Services (including HTTPS Proxy, Credential Encryption for Secure Client)

Currently enabled SSL/TLS versions by service: (Y : Enabled, N : Disabled)

         LDAPS  Updater  WebUI   RADSEC  SICAP   Proxy
SSLv3.0    N       N       N      N/A      N       N
TLSv1.0    Y       Y       Y      N/A      Y       Y
TLSv1.1    N       N       N       Y       Y       Y
TLSv1.2    N       N       N       Y       Y       Y

Select the service for which to enable/disable SSL/TLS versions:

1. LDAPS
2. Updater
3. Proxy
4. RADSEC
5. SICAP
6. WebUI
7. All Services
[]> 7


To change the setting for a specific protocol, select an option below:

1. SSLv3.0
2. TLSv1.0
3. TLSv1.1
4. TLSv1.2
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.