To protect against SSL vulnerabilities it is important to disable SSLv3 and
weak ciphers on your cisco ASA device.
To enumerate the ciphers supported by the device I use an openssl wrapper
script called cipherscan that is
available on github. On a default Cisco ASA setup here is what ciphers are
To change the supported protocols and ciphers, login to the Cisco ASA via SSH.
You can list the current SSL configuration with show ssl and then make the required changes.
You should disable SSLv3 due to the POODLE vulnerability. And you should verify
that you are using strong ciphers. I prefer to use ciphers that support PFS, but
the Cisco AnyConnect IOS app for the SSL VPN
does not support
the PFS ciphers so I had to include aes256-sha1 and aes128-sha1.