Specifying a Secure Communication Protocol

  • If you plan to upgrade from a lower AsyncOS version (for example, 13.6.x) with TLSv1.0 enabled, to AsyncOS 13.8.x and later, then TLSv1.0 is disabled and TLSv1.1 and TLSv1.2 are enabled by default. You need to enable TLSv1.0 method on your appliance after upgrade.

  • From AsyncOS 13.8.x and later, there is no support for SSLv2 and SSLv3 methods.

  • It is recommended to use TLSv1.1 and TLSv1.2 methods instead of SSLv3 and TLSv1.0. SSLv3 is not secure and you should not use it.

  • You can choose the communication protocol to be used for each of the following:

    • Updater server

    • Web-based administrative interface to the appliance

    • LDAPS

    Note

    By default, Update Servers, Web Interface, and LDAP servers use TLSv1.1 and TLSv1.2 methods on a newly installed appliance. SSLv3 is disabled for the end-user access to the spam quarantine.

  • To view the currently selected protocols and available options, or to change protocols, use the sslconfig command in the command-line interface.

  • Cisco update servers do not support SSLv3.

  • If you are using a local (remote) update server, and for all other services and web browsers, the protocol you choose must be supported by and enabled on the server and tools you are using.

  • One of the available options must be enabled for each service you use.

  • Changes made using the sslconfig command require a Commit.

  • Affected services will be briefly interrupted after you commit changes made using the sslconfig command.