Cisco Cisco AnyConnect Secure Mobility Client v3.x Release Notes
Release Notes for Cisco AnyConnect Secure Mobility Client, Release 3.1
Important Security Considerations
3
8.
See “Configuring the ASA to Download AnyConnect” in Chapter 2, Deploying the AnyConnect Secure Mobility
Client in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1
Client in the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1
to install the packages
onto an ASA or to deploy AnyConnect using your enterprise software management system.
Important Security Considerations
Microsoft No Longer Supporting SHA-1—A secure gateway with a SHA-1 certificate or a certificate with
SHA-1 intermediate certificates is considered valid by a Windows endpoint until January 2017. After January
2017, Windows endpoints will no longer consider a secure gateway with a SHA-1 certificate as trusted.
Ensure that your secure gateway does not have a SHA-1 identity certificate and that any intermediate
certificates are not SHA-1.
SHA-1 intermediate certificates is considered valid by a Windows endpoint until January 2017. After January
2017, Windows endpoints will no longer consider a secure gateway with a SHA-1 certificate as trusted.
Ensure that your secure gateway does not have a SHA-1 identity certificate and that any intermediate
certificates are not SHA-1.
http://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-authenticode-c
ode-signing-and-timestamping.aspx
ode-signing-and-timestamping.aspx
Files signed before January 1st, 2016 will be valid until January 1st, 2017.
Note:
Due to the code signing changes, the current AnyConnect users must upgrade to AnyConnect release
3.1.13015, the future version of AnyConnect 4.2 MR, or AnyConnect 4.3+ releases in order to keep their
AnyConnect functional on Windows platforms after January 1, 2017.
AnyConnect functional on Windows platforms after January 1, 2017.
OpenSSL Cipher Suite Changes—Because the OpenSSL standards development team marked some cipher
suites as compromised, we no longer support them beyond AnyConnect 3.1.05187. The unsupported cipher
suites include DES-CBC-SHA, RC4-SHA, and RC4-MD5.
suites as compromised, we no longer support them beyond AnyConnect 3.1.05187. The unsupported cipher
suites include DES-CBC-SHA, RC4-SHA, and RC4-MD5.
RC4 TLS cipher suites are not supported from 3.1.13015 onwards due to security policy enhancements.
We have removed all AnyConnect software packages prior to AnyConnect 3.1.05182 from Cisco.com
because of a security risk found in the OpenSSL software integrated in those releases:
because of a security risk found in the OpenSSL software integrated in those releases:
. We
recommend that customers running AnyConnect 3.0.X or AnyConnect 3.1.0178 or earlier upgrade to the
latest version of AnyConnect 3.1.09013 or AnyConnect 4.1.
latest version of AnyConnect 3.1.09013 or AnyConnect 4.1.
We do not recommend using a self-signed certificate because of the possibility that a user could inadvertently
configure a browser to trust a certificate on a rogue server and because of the inconvenience to users of
having to respond to a security warning when connecting to your secure gateway.
configure a browser to trust a certificate on a rogue server and because of the inconvenience to users of
having to respond to a security warning when connecting to your secure gateway.
Enable Strict Certificate Trust in the AnyConnect Local Policy
We strongly recommend you enable Strict Certificate Trust for the AnyConnect client for the following reasons:
With the increase in targeted exploits, enabling Strict Certificate Trust in the local policy helps prevent “man
in the middle” attacks when users are connecting from untrusted networks such as those in coffee shops and
airports.
in the middle” attacks when users are connecting from untrusted networks such as those in coffee shops and
airports.
Even if you use fully verifiable and trusted certificates, the AnyConnect client, by default, allows end users to
accept unverifiable certificates. If your end users were subjected to a man-in-the-middle attack, they may be
prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict
Certificate Trust.
accept unverifiable certificates. If your end users were subjected to a man-in-the-middle attack, they may be
prompted to accept a malicious certificate. To remove this decision from your end users, enable Strict
Certificate Trust.
To configure Strict Certificate Trust see
the Cisco AnyConnect Secure Mobility Client Administrator Guide, Release 3.1.