Vulnerability scans have identified that the Content Analysis (CAS) management interface is using weak or deprecated encryption protocols (TLS v1.0 and TLS v1.1). To ensure compliance with security standards, these protocols must be disabled, and TLS v1.2 and above should be allowed.

The CAS appliance, by default, may have legacy TLS versions enabled for the HTTPS-Console management service to maintain compatibility with older web browsers.

To disable legacy TLS versions for the management console, the configuration must be modified via CLI using below commands:

CAS#enable
Password:*************

CAS#configure t
Enter configuration commands, one per line. End with CNTL/Z.

CAS(config)# web-management https handshakes
Description: Accepted handshakes
Possible completions:
TLSv13, TLSv12, SSLv2, SSLv3, TLSv1, TLSv11

CAS(config)# web-management https handshakes TLSv12,TLSv13

Syntax:

handshakes 

Configure accepted TLS settings, entered as a comma-separated list. Possible protocols include: TLSv13, TLSv12, SSLv2, SSLv3, TLSv1, TLSv11.
Default: TLSv12
Note: The protocols are case-sensitive.

Example:

Note: Changing settings under Settings > ICAP > TLS Settings only affects the ICAP scanning service and does not secure the administrative web interface.