https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/2815475#M161232 <P>Hello,</P> <P>I have an ASA 5525. I want to update the SSL cipher suite in that box to&nbsp;<SPAN>ECDHE-ECDSA-AES128-GCM-SHA256.</SPAN></P> <P>I am running the code&nbsp;asa904-37-smp-k8.bin in the box.</P> <P>Can you please help me how to update the cipher?</P> <P></P> <P>CF</P> Tue, 12 Mar 2019 07:03:54 GMT Cisco Freak 2019-03-12T07:03:54Z https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/2815475#M161232 <P>Hello,</P> <P>I have an ASA 5525. I want to update the SSL cipher suite in that box to&nbsp;<SPAN>ECDHE-ECDSA-AES128-GCM-SHA256.</SPAN></P> <P>I am running the code&nbsp;asa904-37-smp-k8.bin in the box.</P> <P>Can you please help me how to update the cipher?</P> <P></P> <P>CF</P> Tue, 12 Mar 2019 07:03:54 GMT https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/2815475#M161232 Cisco Freak 2019-03-12T07:03:54Z https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/2815476#M161233 <P>You need to have the TLSv1.2 support which was added in ASA software version 9.3(2).</P> <P>You can check the available cipher types on your ASA with :</P> <PRE class="prettyprint">show ssl ciphers all</PRE> <P>Once you have the right software level, you can specify the ciphers that are accepted with the "ssl cipher" configuration command as described in the command reference:&nbsp;</P> <P>http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385</P> Mon, 21 Dec 2015 17:36:29 GMT https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/2815476#M161233 Marvin Rhoads 2015-12-21T17:36:29Z https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/4313048#M1079561 <P>hi marvin,</P><P>hope your well and staying safe!</P><P>just a question regarding ASA ciphers. our cyber team requires running TLSv1.2, therefore disable TLSv1 and TLSv1.1.</P><P>we run RA VPN. is this just a straight forward change? i.e. enable '<FONT color="#000000">ssl cipher tlsv1.2'?</FONT></P><P><FONT color="#000000">will this have any effect on other ASA cert (SSH, self sign cert/ASDM, etc)?</FONT></P><P><FONT color="#000000">will this 'drop' RA VPN connections?</FONT></P><P>&nbsp;</P><P>ciscoasa# show ssl ciphers all<BR />These are the ciphers for the given cipher level; not all ciphers<BR />are supported by all versions of SSL/TLS.<BR />These names can be used to create a custom cipher list<BR />ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)<BR />ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)<BR />DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)<BR />AES256-GCM-SHA384 (tlsv1.2)<BR />ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)<BR />ECDHE-RSA-AES256-SHA384 (tlsv1.2)<BR />DHE-RSA-AES256-SHA256 (tlsv1.2)<BR />AES256-SHA256 (tlsv1.2)<BR />ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)<BR />ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)<BR />DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)<BR />AES128-GCM-SHA256 (tlsv1.2)<BR />ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)<BR />ECDHE-RSA-AES128-SHA256 (tlsv1.2)<BR />DHE-RSA-AES128-SHA256 (tlsv1.2)<BR />AES128-SHA256 (tlsv1.2)<BR />DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)<BR />AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)<BR />DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)<BR />AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)<BR />DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)<BR />RC4-SHA (tlsv1)<BR />RC4-MD5 (tlsv1)<BR />DES-CBC-SHA (tlsv1)<BR />NULL-SHA (tlsv1)</P><P>ciscoasa# show ssl<BR />Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater<BR />Start connections using TLSv1 and negotiate to TLSv1 or greater<BR />SSL DH Group: group2 (1024-bit modulus)<BR />SSL ECDH Group: group19 (256-bit EC)</P><P>SSL trust-points:<BR />Self-signed (RSA 2048 bits RSA-SHA256) certificate available<BR />Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available<BR />Certificate authentication is not enabled</P><P><BR />ciscoasa# conf t<BR />ciscoasa(config)# ssl ?</P><P>configure mode commands/options:<BR />certificate-authentication Enable client certificate authentication<BR />cipher This is the ciphers to be used with SSL.<BR />client-version The SSL/TLS protocol version to use when acting<BR />as a client<BR />dh-group This is the DH group to be used used with SSL.<BR />ecdh-group This is the ECDH group to be used used with SSL.<BR />encryption This is the encryption method(s) used with ssl.<BR />The ordering of the algorithms specifies the<BR />preference. DEPRECATED, use 'ssl cipher' instead.<BR />server-version The minimum SSL/TLS protocol version to use when<BR />acting as a server<BR />trust-point Configure the ssl certificate trustpoint<BR />ciscoasa(config)# ssl cipher ?</P><P>configure mode commands/options:<BR />default Specify the set of ciphers for outbound connections<BR />dtlsv1 Specify the ciphers for DTLSv1 inbound connections<BR />tlsv1 Specify the ciphers for TLSv1 inbound connections<BR />tlsv1.1 Specify the ciphers for TLSv1.1 inbound connections<BR /><FONT color="#FF0000">tlsv1.2 Specify the ciphers for TLSv1.2 inbound connections</FONT></P><P>&nbsp;</P><P><FONT color="#FF0000">ciscoasa(config)# ssl cipher tlsv1.2<BR /></FONT></P> Wed, 24 Mar 2021 12:37:16 GMT https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/4313048#M1079561 johnlloyd_13 2021-03-24T12:37:16Z https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/4313725#M1079587 <P>Johnlloyd,</P> <P>Your clients should already be negotiating to the strongest mutually-supported ciphersuite. You can check them with "show vpn-session-db detail anyconnect"</P> <P>Other than that, it is just a matter of removing the tls1 and tls1.1 support along with making sure tls1.2 support is in place.</P> Thu, 25 Mar 2021 10:53:57 GMT https://community.cisco.com/t5/network-security/change-ssl-cipher-suite-in-asa/m-p/4313725#M1079587 Marvin Rhoads 2021-03-25T10:53:57Z