Cisco Cisco Web Security Appliance S390 Release Notes

This release contains a number of bug fixes; see the “Fixed issues” search in 

 for additional information.

Primary changes in this release are related to disabling and enabling SSLv3, as well as elliptic-curve 
Diffie-Hellman ephemeral (ECDHE) features, and for configuring update server certificate validation.

SSL configuration

For enhanced security, you can enable and disable SSLv3 for several 
services. Services with SSLv3 disabled will use TLSv1.0.

You can enable and disable SSLv3 for Appliance Management Web User 
Interface, Proxy Services (includes HTTPS Proxy and Credential 
Encryption for Secure Client), Secure LDAP Services (includes 
Authentication, External Authentication, SaaS SSO, and Secure Mobility), 
as well as the Update Service.

Use the Web interface (System Administration > SSL Configuration), or the 
CLI (

sslconfig

).

ECDHE authentication

Additional ECDH ciphers are supported in successive releases; however, 
certain named curves provided with some of the additional ciphers cause 
the appliance to close a connection during secure LDAP authentication and 
HTTPS traffic decryption.

If you experience these issues, use the 

sslconfig

 command, 

ECDHE

 option, 

command to disable or enable ECDHE cipher use for either or both features. 
Here is a snippet of the CLI for this:

Choose the operation you want to perform:

- SSLV3 - Enable or disable SSL v3.

- ECDHE - Enable or disable ECDHE Authentication.

[]> ECDHE

ECDHE cipher status is enabled in Proxy & enabled in LDAP

Please select an option to change ECDHE cipher status:

- 1 - Toggle ECDHE cipher status in Proxy

- 2 - Toggle ECDHE cipher status in LDAP

- 3 - Enable ECDHE cipher in both Proxy & LDAP

- 4 - Disable ECDHE cipher  in both Proxy & LDAP

[]>