https://community.cisco.com/t5/network-security/asa-5510-getting-file-via-https/m-p/3296790#M1009091 So, before anyone bothers helping me out: It seems, this is a more or (more) less well known problem. I stumbled across this topic here: <BR /><BR /><A href="https://supportforums.cisco.com/t5/vpn/tls-1-2-on-asa-clientless-ssl-vpn/td-p/2173348" target="_blank">https://supportforums.cisco.com/t5/vpn/tls-1-2-on-asa-clientless-ssl-vpn/td-p/2173348</A><BR /><BR />It seems, that the ASA up to version 9.3 have some weird difficulties with Diffie Hellman algorithms. After I set this command in the admin-context: "ssl encryption aes128-sha1 aes256-sha1 3des-sha1" it actually worked. Pretty sad and weird behaviour for an ASA but what gives...<BR /><BR />Thanks for reading, Topic done. Fri, 15 Dec 2017 11:47:44 GMT Icarus 2017-12-15T11:47:44Z https://community.cisco.com/t5/network-security/asa-5510-getting-file-via-https/m-p/3296674#M1009090 <P>Hi Guys,</P> <P>&nbsp;</P> <P>I have a little problem here. It might be an error on my side, but as it is with every error: I have no clue what is actually going wrong.</P> <P>&nbsp;</P> <P>First, what I want to do: I want to be able log into my ASA5510 with Software Version 9.1(7)19, go to the system context and enter this command: copy https://username:password@server-ip//path/file flash:/filename</P> <P>&nbsp;</P> <P>The path is actually correct. I can get this file from one of my C3750G and load it into my flash. When I do it with my ASA from the system context, I always get this error: "%Error opening https://username:password@server-ip//path/file (I/O error)"</P> <P>&nbsp;</P> <P>If I do a term mon on this device, it shows me that "Device failed SSL handshake". When I capture the handshake, everything looks ok for my taste. I installed a CA certificate in the admin-context, which is just above the server certificate in the whole chain.</P> <P>&nbsp;</P> <P>When I compare the capture from my C3750G and my ASA, it really looks the same. Both use TLSv1, both agree on one cipher suite with the server, but right after the capture says "Server Key Exchange", the ASA sends a TCP packet with the fin flag set and terminates the session. I really have no clue why this happens.</P> <P>&nbsp;</P> <P>Is there some best practice on how to configure this? All I find if I search for "https" and "ASA" is the ASDM, and that is not what I am searching for. Even though the ASDM is working fine. Just saying. <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>Thank you in advance.</P> Fri, 21 Feb 2020 14:57:33 GMT https://community.cisco.com/t5/network-security/asa-5510-getting-file-via-https/m-p/3296674#M1009090 Icarus 2020-02-21T14:57:33Z https://community.cisco.com/t5/network-security/asa-5510-getting-file-via-https/m-p/3296790#M1009091 So, before anyone bothers helping me out: It seems, this is a more or (more) less well known problem. I stumbled across this topic here: <BR /><BR /><A href="https://supportforums.cisco.com/t5/vpn/tls-1-2-on-asa-clientless-ssl-vpn/td-p/2173348" target="_blank">https://supportforums.cisco.com/t5/vpn/tls-1-2-on-asa-clientless-ssl-vpn/td-p/2173348</A><BR /><BR />It seems, that the ASA up to version 9.3 have some weird difficulties with Diffie Hellman algorithms. After I set this command in the admin-context: "ssl encryption aes128-sha1 aes256-sha1 3des-sha1" it actually worked. Pretty sad and weird behaviour for an ASA but what gives...<BR /><BR />Thanks for reading, Topic done. Fri, 15 Dec 2017 11:47:44 GMT https://community.cisco.com/t5/network-security/asa-5510-getting-file-via-https/m-p/3296790#M1009091 Icarus 2017-12-15T11:47:44Z