https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791625#M1098578 <P><A href="https://community.cisco.com/t5/security-knowledge-base/configuring-the-asa-with-an-ec-certificate-and-ec-ciphers/ta-p/3156717" target="_blank">https://community.cisco.com/t5/security-knowledge-base/configuring-the-asa-with-an-ec-certificate-and-ec-ciphers/ta-p/3156717</A></P> <P>check this link</P> Fri, 10 Mar 2023 18:15:16 GMT MHM Cisco World 2023-03-10T18:15:16Z https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791621#M1098577 <P>Hello:</P><P>I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high</P><P>Any suggestions?</P><P>James</P> Fri, 10 Mar 2023 18:08:41 GMT https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791621#M1098577 jameslee43329 2023-03-10T18:08:41Z https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791625#M1098578 <P><A href="https://community.cisco.com/t5/security-knowledge-base/configuring-the-asa-with-an-ec-certificate-and-ec-ciphers/ta-p/3156717" target="_blank">https://community.cisco.com/t5/security-knowledge-base/configuring-the-asa-with-an-ec-certificate-and-ec-ciphers/ta-p/3156717</A></P> <P>check this link</P> Fri, 10 Mar 2023 18:15:16 GMT https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791625#M1098578 MHM Cisco World 2023-03-10T18:15:16Z https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791629#M1098579 <P>Thanks MHM for your quick reply, I think that document is talking about ssl server cipher suite, I am more concerning ssl client cipher suite. I need to have ssl client cipher suite to support&nbsp;<SPAN>ECDHE-xxx cipher, and I don't have a certificate on the ASA. Do I need to get a certificate to enable ECDHE-xxx ciphers?</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks</SPAN></P><P>&nbsp;</P><P><SPAN>James</SPAN></P> Fri, 10 Mar 2023 18:23:35 GMT https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791629#M1098579 jameslee43329 2023-03-10T18:23:35Z https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791918#M1098593 <LI-CODE lang="markup">I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high</LI-CODE> <P>I take this both are running the same code - please confirm, ?</P> <P>Can you post the below output from both devices :</P> <P>show run all ssl</P> <P>show ssl</P> <P>show SSL ciphers all</P> <P>&nbsp;</P> Sat, 11 Mar 2023 13:07:29 GMT https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4791918#M1098593 balaji.bandi 2023-03-11T13:07:29Z https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4792980#M1098639 <P>Hi, Balaji:</P><P>Thanks for your reply, there are the output</P><P>5515-01 output ===============</P><P><SPAN>5515-01# sh run all ssl</SPAN></P><P><SPAN>ssl server-version tlsv1.2</SPAN></P><P><SPAN>ssl client-version tlsv1.2</SPAN></P><P><SPAN>ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"</SPAN></P><P><SPAN>ssl cipher tlsv1 medium</SPAN></P><P><SPAN>ssl cipher tlsv1.1 medium</SPAN></P><P><SPAN>ssl cipher tlsv1.2 medium</SPAN></P><P><SPAN>ssl cipher dtlsv1 medium</SPAN></P><P><SPAN>ssl dh-group group24</SPAN></P><P><SPAN>ssl ecdh-group group21</SPAN></P><P><SPAN>ssl trust-point SSLC1 Outside</SPAN></P><P><SPAN>ssl certificate-authentication fca-timeout 2</SPAN></P><P><SPAN>5515-01# show ssl</SPAN></P><P><SPAN>Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater</SPAN></P><P><SPAN>Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater</SPAN></P><P><SPAN>SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)</SPAN></P><P><SPAN>SSL ECDH Group: group21 (521-bit EC)</SPAN></P><P>&nbsp;</P><P><SPAN>SSL trust-points:</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Self-signed (RSA 2048 bits RSA-SHA256) certificate available</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Interface Outside: SSLC1(RSA 2048 bits RSA-SHA256)</SPAN></P><P><SPAN>Certificate authentication is not enabled</SPAN></P><P><SPAN>5515-01# show ssl ciphers all</SPAN></P><P><SPAN>These are the ciphers for the given cipher level; not all ciphers</SPAN></P><P><SPAN>are supported by all versions of SSL/TLS.</SPAN></P><P><SPAN>These names can be used to create a custom cipher list</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES256-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES256-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>RC4-SHA (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>RC4-MD5 (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DES-CBC-SHA (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>NULL-SHA (tlsv1)</SPAN></P><P>5515-02 output==================</P><P><SPAN>5515-2# sh run all ssl</SPAN></P><P><SPAN>ssl server-version tlsv1.2</SPAN></P><P><SPAN>ssl client-version tlsv1.2</SPAN></P><P><SPAN>ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"</SPAN></P><P><SPAN>ssl cipher tlsv1 medium</SPAN></P><P><SPAN>ssl cipher tlsv1.1 medium</SPAN></P><P><SPAN>ssl cipher tlsv1.2 medium</SPAN></P><P><SPAN>ssl cipher dtlsv1 medium</SPAN></P><P><SPAN>ssl dh-group group24</SPAN></P><P><SPAN>ssl ecdh-group group21</SPAN></P><P><SPAN>ssl trust-point SSLC2 Outside</SPAN></P><P><SPAN>ssl certificate-authentication fca-timeout 2</SPAN></P><P><SPAN>5515-2# sh ssl</SPAN></P><P><SPAN>Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater</SPAN></P><P><SPAN>Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater</SPAN></P><P><SPAN>SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)</SPAN></P><P><SPAN>SSL ECDH Group: group21 (521-bit EC)</SPAN></P><P>&nbsp;</P><P><SPAN>SSL trust-points:</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Self-signed (RSA 2048 bits RSA-SHA256) certificate available</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>Interface Outside: SSLC2 (RSA 2048 bits RSA-SHA256)</SPAN></P><P><SPAN>Certificate authentication is not enabled</SPAN></P><P><SPAN>5515-2# show ssl ciphers all</SPAN></P><P><SPAN>These are the ciphers for the given cipher level; not all ciphers</SPAN></P><P><SPAN>are supported by all versions of SSL/TLS.</SPAN></P><P><SPAN>These names can be used to create a custom cipher list</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES256-GCM-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-RSA-AES256-SHA384 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES256-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES256-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES128-GCM-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>ECDHE-RSA-AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES128-SHA256 (tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>RC4-SHA (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>RC4-MD5 (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>DES-CBC-SHA (tlsv1)</SPAN></P><P><SPAN><SPAN class="">&nbsp; </SPAN>NULL-SHA (tlsv1)</SPAN></P><P>&nbsp;</P><P><SPAN>Thanks,</SPAN></P><P><SPAN>James</SPAN></P> Mon, 13 Mar 2023 17:47:21 GMT https://community.cisco.com/t5/network-security/asa-5515-x-ssl-ciphers/m-p/4792980#M1098639 jameslee43329 2023-03-13T17:47:21Z