Why is TLS version 1.0 disabled after AsyncOS upgrade

Available Languages

Download Options

  • PDF     (78.6 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (154.0 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (112.6 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:June 15, 2023
Document ID:220516

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the reason why Transport Layer Security (TLS) version 1.0 is being automatically disabled by AsyncOS after upgrades.

    Why is Cisco disabling TLS version 1.0 after AsyncOS upgrade?

    Cisco introduced TLSv1.1 and v1.2 functionality since AsyncOS 9.5 releases. Previously, TLSv1.0 is left enabled after upgrades for environments that required the older protocols, however Cisco strongly encouraged moving to TLSv1.2 as the standard protocol for the Secure Email environment.

    From Cisco AsyncOS 13.5.1 release and onwards, TLS version 1.0 is disabled automatically on upgrade per Cisco security policies to reduce the risk for the Cisco Secure Email users.

    This was previously outlined in the release notes for 13.5.1 GD (Release notes

    Cisco AsyncOS 13.5.1 Release Notes Snippet

    A warning message is also displayed in the WebUI and command line (CLI) when upgrading to any versions release after 13.5.1 release:

    After you upgrade to AsyncOS 13.5.1 and later, TLS v1.1 and v1.2 is enabled by default. - You cannot use TLS v1.0 in FIPS mode. - The appliance disables TLS v1.0 in non-FIPS mode after the upgrade but you can re-enable it if required.

    Warning: Enabling TLSv1.0 exposes your environment to potential security risks and vulnerabilities. Cisco highly recommends to utilise the available TLSv1.2 and high ciphers to ensure secured transmission of data.

    Currently as at AsyncOS 15.0, Cisco Secure Email AsyncOS allows system administrators to re-enable TLSv1.0 after upgrade at their own risk due to the potential security risks posed by the older version 1.0 protocols.

    This flexibility being offered is subject to change at latter releases to remove the option to utilise TLSv1.0 at all in later releases.

    Security risks and vulnerabilities with TLSv1.0:

    SSLv3.0/TLSv1.0 Protocol Weak CBC Mode Server Side Vulnerability (BEAST)
    SSL/TLSv1.0 CRIME Vulnerability 

    Related Information

    Revision History

    Revision Publish Date Comments
    1.0
    14-Jun-2023
    Initial Release
    TAC Authored

    Contributed by Cisco Engineers

    • Mathew Huynh
      Designated Services Manager

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products