Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2

To see if you SSL version for AnyConnect is on a safe level. You want to check this first via the following website

You need to enter your domain name which you use to connect with the clients to logon to.

For this you need to use at lease ASA software version 9.3(2) or later In earlier versions the TLS 1.2 is not supported.

To configure the TLS 1.2, you can use 2 options. via the command line or via the ASDM.

First via the Command Line, you need to enter the following command’s

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24

After you changed this you can to a recheck via the earlier given website.

If you want to set this settings via the ASDM you need to go to

Remote Access VPN > Advanced > SSL Settings

SSL-TLS-SettingsSet the version for server as for client to TLS V1.2 put the Diffie-Hellman Group to 24 most secure option which is available. At the Encryption put the TLS V1.2 to High.

When you do the re-check you will see the follow output


6 thoughts on “Cisco | ASA disable SSL 3.0 settings and change it to TLS V1.2

    • this is an issue of the ASA software version. I think you have some out dated version or a cisco 5510 which is not able to ehave this versions.

      I don’t have a fix for it.

  1. Does the “Diffie-Hellman Group 24” option require the new Apex licensing with AnyConnect 4.x? I am trying to determine if I can get away with Plus licensing or not to pass the Qualys SSL labs test. Thanks.

    • I have no idea if you have the old licensing than you could try to see if it works. if not than you can always request voor the Apex licensing.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s