Table Of Contents
Configuring SSL Settings
SSL
Edit SSL Certificate
SSL Certificates
Configuring SSL Settings
SSL
Configuration > Properties > SSL
The ASA uses the Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) to achieve secure message transmission for both ASDM and Clientless, browser-based sessions. The SSL window lets you configure SSL versions for clients and servers and encryption algorithms. It also lets you apply previously configured trustpoints to specific interfaces, and to configure a fallback trustpoint for interfaces that do not have an associated trustpoint.
Fields
•
Server SSL Version—Choose to specify the SSL/TLS protocol version the ASA uses to negotiate as a server. You can make only one selection.
Options for Server SSL versions include the following:
Any
|
The ASA accepts SSL version 2 client hellos, and negotiates either SSL version 3 or TLS version 1.
|
Negotiate SSL V3
|
The ASA accepts SSL version 2 client hellos, and negotiates to SSL version 3.
|
Negotiate TLS V1
|
The ASA accepts SSL version 2 client hellos, and negotiates to TLS version 1.
|
SSL V3 Only
|
The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3.
|
TLS V1 Only
|
The security appliance accepts only TLSv1 client hellos, and uses only TLS version 1.
|
Note To use port forwarding for Clientless SSL VPN, you must select Any or Negotiate SSL V3. The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.
•Client SSL Version—Choose to specify the SSL/TLS protocol version the ASA uses to negotiate as a client. You can make only one selection.
Options for Client SSL versions include the following:
any
|
The ASA sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1.
|
sslv3-only
|
The security appliance sends SSL version 3 hellos, and accepts only SSL version 3.
|
tlsv1-only
|
The security appliance sends TLSv1 client hellos, and accepts only TLS version 1.
|
•Encryption—Lets you set SSL encryption algorithms.
–Available Algorithms—Lists the encryption algorithms the ASA supports that are not in use for SSL connections. To use, or make active, an available algorithm, highlight the algorithm and click Add.
–Active Algorithms—Lists the encryption algorithms the security appliance supports and is currently using for SSL connections. To discontinue using, or change an active algorithm to available status, highlight the algorithm and click Remove.
–Add/Remove—Click to change the status of encryption algorithms in either the Available or Active Algorithms columns.
–Move Up/Move Down—Highlight an algorithm and click these buttons to change its priority. The ASA attempts to use an algorithm
•Certificates—Lets you select a fallback certificate, and displays configured interfaces and the configured certificates associated with them.
–Fallback Certificate—Click to select a certificate to use for interfaces that have no certificate associated with them. If you select None, the ASA uses the default RSA key-pair and certificate.
–Interface and ID Certificate columns—Display configured interfaces and the certificate, if any, for the interface.
–Edit—Click to change the trustpoint for the highlighted interface.
•Apply—Click to apply your changes.
•Reset—Click to remove changes you have made and reset SSL parameters to the values that they held when you opened the window.
Edit SSL Certificate
Configuration > Properties > SSL > Edit SSL Trustpoint
Fields
•Interface—Displays the name of the interface you are editing.
•Certificate—Click to select a previously enrolled certificate to associate with the named interface.
SSL Certificates
In this pane, you can require that device management sessions require user certificates for SSL authentication.
Configuration > Properties > SSL > Edit SSL Trustpoint
Fields
•Interface—Displays the name of the interface you are editing.
•User Certificate Required—Click to select a previously enrolled certificate to associate with the named interface.
Feedback
