https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3229814#M1010994 <P>Does the ASA 5585 support ECDHE ciphers like ECDHE-RSA-AES256-GCM-SHA384?</P> <P>&nbsp;</P> <P>I get error message trying to enable them, and I don't see them available:</P> <PRE>sho ssl ciphers all These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list DHE-RSA-AES256-SHA256 (tlsv1.2) AES256-SHA256 (tlsv1.2) DHE-RSA-AES128-SHA256 (tlsv1.2) AES128-SHA256 (tlsv1.2) DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) RC4-SHA (tlsv1) RC4-MD5 (tlsv1) DES-CBC-SHA (tlsv1) NULL-SHA (tlsv1) </PRE> <P>&nbsp;</P> <PRE>Cisco Adaptive Security Appliance Software Version 9.4(4)8 Device Manager Version 7.6(1) Compiled on Sun 16-Jul-17 23:27 PDT by builders System image file is "disk0:/asa944-8-smp-k8.bin" Config file at boot was "startup-config" fwt1-asa5585-01 up 123 days 21 hours failover cluster up 124 days 0 hours Hardware: ASA5585-SSP-40, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 2 CPUs (16 cores) Internal ATA Compact Flash, 2048MB BIOS Flash M25P32 @ 0x0, 4096KB Encryption hardware device : Cisco ASA-5585 on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005 IPSec microcode : CNPx-MC-IPSEC-MAIN-0026 Number of accelerators: 3 Programmable device : Cisco CPLD revision 0x8</PRE> Fri, 21 Feb 2020 14:56:11 GMT jmorrison_bcp 2020-02-21T14:56:11Z https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3229814#M1010994 <P>Does the ASA 5585 support ECDHE ciphers like ECDHE-RSA-AES256-GCM-SHA384?</P> <P>&nbsp;</P> <P>I get error message trying to enable them, and I don't see them available:</P> <PRE>sho ssl ciphers all These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list DHE-RSA-AES256-SHA256 (tlsv1.2) AES256-SHA256 (tlsv1.2) DHE-RSA-AES128-SHA256 (tlsv1.2) AES128-SHA256 (tlsv1.2) DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) RC4-SHA (tlsv1) RC4-MD5 (tlsv1) DES-CBC-SHA (tlsv1) NULL-SHA (tlsv1) </PRE> <P>&nbsp;</P> <PRE>Cisco Adaptive Security Appliance Software Version 9.4(4)8 Device Manager Version 7.6(1) Compiled on Sun 16-Jul-17 23:27 PDT by builders System image file is "disk0:/asa944-8-smp-k8.bin" Config file at boot was "startup-config" fwt1-asa5585-01 up 123 days 21 hours failover cluster up 124 days 0 hours Hardware: ASA5585-SSP-40, 12288 MB RAM, CPU Xeon 5500 series 2133 MHz, 2 CPUs (16 cores) Internal ATA Compact Flash, 2048MB BIOS Flash M25P32 @ 0x0, 4096KB Encryption hardware device : Cisco ASA-5585 on-board accelerator (revision 0x1) Boot microcode : CNPx-MC-BOOT-2.00 SSL/IKE microcode : CNPx-MC-SSL-SB-PLUS-0005 IPSec microcode : CNPx-MC-IPSEC-MAIN-0026 Number of accelerators: 3 Programmable device : Cisco CPLD revision 0x8</PRE> Fri, 21 Feb 2020 14:56:11 GMT https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3229814#M1010994 jmorrison_bcp 2020-02-21T14:56:11Z https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3229846#M1010998 <P>These ciphers were added in 9.4(1), but they are not active when the AnyConnect Essentials license is applied. Is that the case for your&nbsp;ASA?</P> Sun, 10 Dec 2017 22:45:46 GMT https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3229846#M1010998 Karsten Iwen 2017-12-10T22:45:46Z https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3297001#M1011001 <P>Yes, anyconnect essentials is active.</P> <P>&nbsp;</P> <P>So anyconnect disables it?</P> <P>&nbsp;</P> <P>It looks bad on SSL scans mainly.</P> Fri, 15 Dec 2017 18:33:25 GMT https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3297001#M1011001 JOHN PAUL MORRISON 2017-12-15T18:33:25Z https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3297005#M1011002 <P>Yes, but&nbsp;you should have AnyConnect PLUS licenses. Then you can replace your AnyConnect Essentials with AnyConnect PLUS. With just disabling it you lose your VPN-capabilities.</P> Fri, 15 Dec 2017 18:39:52 GMT https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/3297005#M1011002 Karsten Iwen 2017-12-15T18:39:52Z https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/4260170#M1076749 <P>I know it's been three years but hoping you can still respond. I'm wondering whether to get the Anyconnect Plus or Apex license. According to the Anyconnect ordering guide, Suite B encryption algorithms are only supported in the Apex license. I don't see this listed for the Anyconnect Plus license.</P><P>&nbsp;</P><P><A href="https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html" target="_blank">https://www.cisco.com/c/en/us/products/collateral/security/anyconnect-og.html</A></P><P>&nbsp;</P><P>Or does this mean the ciphers will be available in the "show ssl ciphers" but not usable with Anyconnect when using the Plus license?</P><P>&nbsp;</P><P>Thanks</P><P>Peter</P><P>&nbsp;</P> Thu, 17 Dec 2020 15:41:34 GMT https://community.cisco.com/t5/network-security/asa-5585-ecdhe-cipher-support/m-p/4260170#M1076749 ptchuba 2020-12-17T15:41:34Z