https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809334#M160252 <P>Thanks for the info, it helped!</P> <P>BR</P> <P>Erik</P> Fri, 29 Jan 2016 20:05:04 GMT erikorrsjo 2016-01-29T20:05:04Z https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809331#M160249 <P>Hello</P> <P></P> <P>I have a Cisco ASA5508 and have set up for AnyConnect.</P> <P>I have installed a GlobalSign certificate properly:</P> <P>GOTFW001(config)# show ssl<BR />Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater<BR />Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater<BR />SSL DH Group: group5 (1536-bit modulus)<BR />SSL ECDH Group: group19 (256-bit EC)<BR /><BR />SSL trust-points:<BR />&nbsp; Self-signed (RSA 2048 bits RSA-SHA256) certificate available<BR />&nbsp; Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available<BR />&nbsp; Interface internet: ASDM_TrustPoint1 (RSA 2048 bits RSA-SHA256)<BR />Certificate authentication is not enabled</P> <P></P> <P>But when I connect to the portal through the internet interface I get certificate error and when checking it I can see that the self-signed certificate is used. Why is that? Anybody got any ideas?</P> <P>Regards,</P> <P>Erik</P> Tue, 12 Mar 2019 07:12:36 GMT https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809331#M160249 erikorrsjo 2019-03-12T07:12:36Z https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809332#M160250 <P>Dear Erik</P> <P></P> <P>Have you set in your configuration a command such as &nbsp;:&nbsp;</P> <P>ssl trust-point theRightTrustPoint</P> <P></P> <P>Where&nbsp;<SPAN>theRightTrustPoint is the trust point for your&nbsp;GlobalSign certificate</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Regards,</SPAN></P> <P><SPAN></SPAN></P> <P><SPAN>Vincent</SPAN></P> Thu, 28 Jan 2016 16:12:35 GMT https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809332#M160250 vincent.monnier 2016-01-28T16:12:35Z https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809333#M160251 <P>Hi Erik,</P> <P></P> <P>Are you using the firewall version 9.4.1 or above. If yes then you will see that self signed certificate will be used. This is an expected &nbsp;behaviour.</P> <P>When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.&nbsp; That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".</P> <P>So To avoid this, we need&nbsp; to remove the corresponding cipher suites using the ssl cipher command.<BR />we can execute the following command so that only RSA based ciphers are negotiated (</P> <P>ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"</P> <P></P> <P>Please refer the below documents.</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html</P> <P>https://supportforums.cisco.com/discussion/12524736/asa-x-ios-941-anyconnect-windows-81-untrusted-vpn-server-blocked</P> <P>Thanks,<BR />Shivapramod M<BR />Please remember to select a correct answer and rate helpful posts</P> <P>&nbsp;</P> Thu, 28 Jan 2016 16:33:17 GMT https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809333#M160251 Shivapramod M 2016-01-28T16:33:17Z https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809334#M160252 <P>Thanks for the info, it helped!</P> <P>BR</P> <P>Erik</P> Fri, 29 Jan 2016 20:05:04 GMT https://community.cisco.com/t5/network-security/anyconnect-ssl-using-wrong-certificate/m-p/2809334#M160252 erikorrsjo 2016-01-29T20:05:04Z