ASDM 6.0 User Guide
Configuring SSL Settings
Downloads: This chapterpdf (PDF - 89.0KB) The complete bookPDF (PDF - 28.5MB) | Feedback

Configuring SSL Settings

Table Of Contents

Configuring SSL Settings

SSL

Edit SSL Certificate

SSL Certificates


Configuring SSL Settings


SSL

The security appliance uses the Secure Sockets Layer (SSL) protocol and its successor, Transport Layer Security (TLS) to achieve secure message transmission for both ASDM and Clientless, browser-based sessions. The SSL window lets you configure SSL versions for clients and servers and encryption algorithms. It also lets you apply previously configured trustpoints to specific interfaces, and to configure a fallback trustpoint for interfaces that do not have an associated trustpoint.

Fields

Server SSL Version—Choose to specify the SSL/TLS protocol version the security appliance uses when acting as a server. You can make only one selection.

Options for Server SSL versions include the following:

Any

The security appliance accepts SSL version 2 client hellos, and negotiates either SSL version 3 or TLS version 1.

Negotiate SSL V3

The security appliance accepts SSL version 2 client hellos, and negotiates to SSL version 3.

Negotiate TLS V1

The security appliance accepts SSL version 2 client hellos, and negotiates to TLS version 1.

SSL V3 Only

The security appliance accepts only SSL version 3 client hellos, and uses only SSL version 3.

TLS V1 Only

The security appliance accepts only TLSv1 client hellos, and uses only TLS version 1.



Note To use port forwarding for Clientless SSL VPN, you must select Any or Negotiate SSL V3. The issue is that JAVA only negotiates SSLv3 in the client Hello packet when you launch the Port Forwarding application.


Client SSL Version—Choose to specify the SSL/TLS protocol version the security appliance uses when acting as a server. You can make only one selection.

Options for Client SSL versions include the following:

any

The security appliance sends SSL version3 hellos, and negotiates either SSL version 3 or TLS version 1.

sslv3-only

The security appliance sends SSL version 3 hellos, and accepts only SSL version 3.

tlsv1-only

The security appliance sends TLSv1 client hellos, and accepts only TLS version 1.


Encryption—Lets you set SSL encryption algorithms.

Available Algorithms—Lists the encryption algorithms the security appliance supports that are not in use for SSL connections. To use, or make active, an available algorithm, highlight the algorithm and click Add.

Active Algorithms—Lists the encryption algorithms the security appliance supports and is currently using for SSL connections. To discontinue using, or change an active algorithm to available status, highlight the algorithm and click Remove.

Add/Remove—Click to change the status of encryption algorithms in either the Available or Active Algorithms columns.

Move Up/Move Down—Highlight an algorithm and click these buttons to change its priority. The security appliance attempts to use an algorithm

Certificates—Lets you select a fallback certificate, and displays configured interfaces and the configured certificates associated with them.

Fallback Certificate—Click to select a certificate to use for interfaces that have no certificate associated with them. If you select None, the security appliance uses the default RSA key-pair and certificate.

Interface and ID Certificate columns—Display configured interfaces and the certificate, if any, for the interface.

Edit—Click to change the trustpoint for the highlighted interface.

Apply—Click to apply your changes.

Reset—Click to remove changes you have made and reset SSL parameters to the values that they held when you opened the window.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


Edit SSL Certificate

Fields

Interface—Displays the name of the interface you are editing.

Certificate—Click to select a previously enrolled certificate to associate with the named interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System


SSL Certificates

In this pane, you can require that device management sessions require user certificates for SSL authentication.

Fields

Interface—Displays the name of the interface you are editing.

User Certificate Required—Click to select a previously enrolled certificate to associate with the named interface.

Modes

The following table shows the modes in which this feature is available:

Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System