https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090783#M1070441 <P>Hi,</P><P>ASA Software Version 9.1(7)23</P><P>Cisco ASA 5520</P><P>We ran a test for our VPN firewall on Qualys website and it showed some week configuration points. i.e. TLS1.2 is not enable TLS1.0 is enable. I understand&nbsp; TLS1.2 is not supported in this version.</P><P>Under the&nbsp;Cipher Suites TLS 1.0 (suites in server-preferred order) section it gives:</P><P>TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256<BR />TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128<BR />TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256<BR />TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128</P><P>I was expecting that when I do the show run i would see selected protocol in order. But get no match</P><P>#show run | i ssl encryption</P><P>Used search feature in notepad, same thing.</P><P>I see that tls1.2 support starts from version 9.3 but in software download page of ASA5520, the last update was back in 2018 and it was 9.1(7)</P><P>This means new hardware is needed to use tls1.2?</P><P>How do I check currently configured protocols and how to change it to get good ratings in Qualys ssllab test?</P><P>Thanks</P> Fri, 22 May 2020 16:09:17 GMT uzair1980 2020-05-22T16:09:17Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090783#M1070441 <P>Hi,</P><P>ASA Software Version 9.1(7)23</P><P>Cisco ASA 5520</P><P>We ran a test for our VPN firewall on Qualys website and it showed some week configuration points. i.e. TLS1.2 is not enable TLS1.0 is enable. I understand&nbsp; TLS1.2 is not supported in this version.</P><P>Under the&nbsp;Cipher Suites TLS 1.0 (suites in server-preferred order) section it gives:</P><P>TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256<BR />TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128<BR />TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256<BR />TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128</P><P>I was expecting that when I do the show run i would see selected protocol in order. But get no match</P><P>#show run | i ssl encryption</P><P>Used search feature in notepad, same thing.</P><P>I see that tls1.2 support starts from version 9.3 but in software download page of ASA5520, the last update was back in 2018 and it was 9.1(7)</P><P>This means new hardware is needed to use tls1.2?</P><P>How do I check currently configured protocols and how to change it to get good ratings in Qualys ssllab test?</P><P>Thanks</P> Fri, 22 May 2020 16:09:17 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090783#M1070441 uzair1980 2020-05-22T16:09:17Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090799#M1070443 <P>Hi,</P> <P>What hardware are you using? You should consider upgrading to the latest supported version, which supports TLS 1.2 and DTLS 1.2, which is any version from 9.10.</P> <P>&nbsp;</P> <P>If you wish to get a good score, you should consider disabling TLS 1.0/1.1 and just use TLS/DTLS 1.2.</P> <P>You can specify the ciphers as below:-</P> <P>&nbsp;</P> <PRE>ssl server-version tlsv1.2 dtlsv1.2<BR />ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"<BR />ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"</PRE> <P>&nbsp;</P> <P>HTH</P> Fri, 22 May 2020 15:30:55 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090799#M1070443 Rob Ingram 2020-05-22T15:30:55Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090804#M1070444 <P>This is Cisco ASA 5520. I know this is pretty old and not supported any more. Before I consider to make changes to protocol or OS version, i was looking where these are defined, either in ASDM or CLI. That i can't find. Google says that I should see, for an example, "</P><P>ssl encryption aes128-sha1 aes256-sha1 des-sha1"</P><P>but in my case this statement is not in config.&nbsp;</P> Fri, 22 May 2020 15:37:22 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090804#M1070444 uzair1980 2020-05-22T15:37:22Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090816#M1070446 <P>The exact command maybe different but the syntax on newer ASA software would be:-</P> <P><STRONG>ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"</STRONG> potentially on older code it would be <STRONG>ssl encryption</STRONG> ......you put the custom ciphers you wish to use in " ".</P> <P>&nbsp;</P> <P>You can find the ciphers supports by TLS1 as below.</P> <P>&nbsp;</P> <PRE>ASA-1(config)# <STRONG>show ssl ciphers</STRONG><BR />Current cipher configuration:<BR />default (medium):<BR />ECDHE-ECDSA-AES256-GCM-SHA384<BR />ECDHE-RSA-AES256-GCM-SHA384<BR />DHE-RSA-AES256-GCM-SHA384<BR />AES256-GCM-SHA384<BR />ECDHE-ECDSA-AES256-SHA384<BR />ECDHE-RSA-AES256-SHA384<BR />DHE-RSA-AES256-SHA256<BR />AES256-SHA256<BR />ECDHE-ECDSA-AES128-GCM-SHA256<BR />ECDHE-RSA-AES128-GCM-SHA256<BR />DHE-RSA-AES128-GCM-SHA256<BR />AES128-GCM-SHA256<BR />ECDHE-ECDSA-AES128-SHA256<BR />ECDHE-RSA-AES128-SHA256<BR />DHE-RSA-AES128-SHA256<BR />AES128-SHA256<BR />DHE-RSA-AES256-SHA<BR />AES256-SHA<BR />DHE-RSA-AES128-SHA<BR />AES128-SHA<BR />DES-CBC3-SHA<BR /><STRONG>tlsv1 (medium):</STRONG><BR /><STRONG>DHE-RSA-AES256-SHA</STRONG><BR /><STRONG>AES256-SHA</STRONG><BR /><STRONG>DHE-RSA-AES128-SHA</STRONG><BR /><STRONG>AES128-SHA</STRONG><BR /><STRONG>DES-CBC3-SHA</STRONG><BR />tlsv1.1 (medium):<BR />DHE-RSA-AES256-SHA<BR />AES256-SHA<BR />DHE-RSA-AES128-SHA<BR />AES128-SHA<BR />DES-CBC3-SHA<BR />tlsv1.2 (medium):<BR />ECDHE-ECDSA-AES256-GCM-SHA384<BR />ECDHE-RSA-AES256-GCM-SHA384<BR />DHE-RSA-AES256-GCM-SHA384<BR />AES256-GCM-SHA384<BR />ECDHE-ECDSA-AES256-SHA384<BR />ECDHE-RSA-AES256-SHA384<BR />DHE-RSA-AES256-SHA256<BR />AES256-SHA256<BR />ECDHE-ECDSA-AES128-GCM-SHA256<BR />ECDHE-RSA-AES128-GCM-SHA256<BR />DHE-RSA-AES128-GCM-SHA256<BR /><BR />ASA-1(config)# <STRONG>ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"</STRONG></PRE> <P>HTH</P> Fri, 22 May 2020 15:49:24 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090816#M1070446 Rob Ingram 2020-05-22T15:49:24Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090832#M1070447 <P># show run | i cipher<BR />&lt;empty&gt;</P><P>(config)# ssl cipher ?<BR />ERROR: % Unrecognized command</P><P>I see that tls 1.2 support starts from 9.3 but in software download page of 5520, the last update was back in 2018 and it was 9.1(7)</P><P>This means new hardware is needed to use tls1,2</P><P>&nbsp;</P> Fri, 22 May 2020 16:07:25 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090832#M1070447 uzair1980 2020-05-22T16:07:25Z https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090835#M1070448 <P>Like I said, potentially on older software the command would start ssl encryption and you put the custom ciphers you wish to use in " " like I demonstrated above</P> <P>&nbsp;</P> <P>HTH</P> Fri, 22 May 2020 16:17:56 GMT https://community.cisco.com/t5/network-security/tls-1-0-suites-in-server-preferred-order-ssl-encryption/m-p/4090835#M1070448 Rob Ingram 2020-05-22T16:17:56Z