6.1.2 Enable Limited TLS Versions for SSL VPN - banned-cipher

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Enable and disable TLS versions and Cipher suites for more granular control of SSL VPN connections and enforcing more secure connections.

Rationale:

Limiting TLS versions to more secure versions as well as enforcing stronger ciphers increases the security of the SSL VPN connections

Solution

CLI:

config vpn ssl settings
set ssl-max-prot-ver *** {Configure max TLS Version supported}
set ssl-min-proto ver *** {set minimum support TLS version}
set banned-cipher *** {add cipher suite to banned list and prevent it from being used}
set algorithm high {use high algorithms}

Default Value:

ssl-max-proto-ver : tls1-3 ssl-min-proto-ver : tls1-2 banned-cipher : algorithm : high

See Also

https://workbench.cisecurity.org/files/4077