Cisco Cisco ASA 5515-X Adaptive Security Appliance トラブルシューティングガイド
Upgrade and use TLS 1.1/1.2. The limitation with this solution is that it applies only to ASA 5500−X
ASA Platforms. The encryption hardware on legacy ASA platforms (ASA 5505 and the ASA 5500
series) do not support TLSv1.2. As a result, a fix for these platforms is not feasible.
ASA Platforms. The encryption hardware on legacy ASA platforms (ASA 5505 and the ASA 5500
series) do not support TLSv1.2. As a result, a fix for these platforms is not feasible.
Due to protocol limitations, there is no solution for SSLv3 or TLSv1.0; however, most modern
browsers have implemented different ways of mitigation.
browsers have implemented different ways of mitigation.
Cisco bug ID CSCuc85781: WebVPN Cookie Randomization
For the ASA software versions that do not support TLSv1.2, Cisco made the cookies random with this
fix in order to reduce the risk. This does not completely prevent BEAST attacks, but it helps mitigate
them.
fix in order to reduce the risk. This does not completely prevent BEAST attacks, but it helps mitigate
them.
•
Tip: The only way to be completely protected from the BEAST vulnerability is to use TLSv1.2. This is
similar to ciphers. Cisco continues to add newer, stronger ciphers in newer code, and older ciphers might have
known issues (such as RC4). Thus, Cisco recommends that you move to the newer protocols and ciphers.
similar to ciphers. Cisco continues to add newer, stronger ciphers in newer code, and older ciphers might have
known issues (such as RC4). Thus, Cisco recommends that you move to the newer protocols and ciphers.
Updated: Apr 01, 2015
Document ID: 118854