topic Hi,ssl server-versionTo set in Network Security

Check the status of SSL

wfqk — Tue, 12 Mar 2019 06:07:50 GMT

Hi I want to confirm the status of SSL in ASA. I used two commands to do that. But it looks like that the two commands got me two different results. First command show run all ssl tells some version etc, but second command show ssl tells Certificate authentication is not enabled. Any one can explain it for me ? Thank you

COV/pri/act# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2

COV/pri/act# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

Hi,ssl server-versionTo set

Kanwaljeet Singh — Tue, 16 Jun 2015 20:14:14 GMT

Hi,

ssl server-version

To set the minimum protocol version for which the ASA will negotiate an SSL/TLS connection, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no form of this command.

ssl client-version

To specify the SSL/TLS protocol version that the ASA uses when acting as a client, use the ssl client-version command in global configuration mode.

ssl certificate-authentication

To enable client certificate authentication for backwards compatibility for versions previous to 8.2(1), use the ssl certificate-authentication command in global configuration mode

Once you enable client certificate authentication, you will the below result.

N18-ASA5500-1(config)# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
No SSL trust-points configured
Certificate authentication:
outside interface: port 443

SSL trustpoints are needed to bind the certificates and use them for vpn, anyconnect etc. You bind trustpoints with tunnel groups.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thank you so much for your

wfqk — Tue, 16 Jun 2015 20:39:09 GMT

Thank you so much for your reply. Can you take a look at the below.

It show SSL trust-points: outside interface: GoDaddy_TP, but Certificate authentication is not enabled

Do you think the SSL is active ?

--------------------------------------------

COFW/pri/act# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

SSL trust-points:

outside interface: GoDaddy_TP

Certificate authentication is not enabled

COFW/pri/act# sh run ssl

ssl trust-point GoDaddy_TP outside

Hi,That has nothing to do

Kanwaljeet Singh — Tue, 16 Jun 2015 20:39:10 GMT

Hi,

That has nothing to do with SSL being enabled or not but client cert authentication as shown above.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

You mean the below SSL is

wfqk — Tue, 16 Jun 2015 20:58:40 GMT

You mean the below SSL is inactive, right ?

COFW/pri/act# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

SSL trust-points:

outside interface: GoDaddy_TP

Certificate authentication is not enabled

Hi,No it is not. Only client

Kanwaljeet Singh — Tue, 16 Jun 2015 21:03:36 GMT

Hi,

No it is not. Only client certificate authentication is not enabled which is an optional step in SSL handshake. You can enable it if you want a user to connect to ASA via https be required to authenticate itself. You can test this by enabling HTTPS/ASDM access on an interface. You would see that if ssl certificate-authentication is enabled and client is trying to connect without presenting certificate, it won't be able to connect.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Thank you so much for your

wfqk — Tue, 16 Jun 2015 21:23:20 GMT

Thank you so much for your explanation.

Can we say it like this:

The successful connection requires several things. One is certificate user present, another is what ?

So, as long as we see Certificate authentication is not enabled, we can think the SSL is inactive, right ?

Hi,I just tested it and i am

Kanwaljeet Singh — Tue, 16 Jun 2015 21:26:46 GMT

Hi,

I just tested it and i am able to connect when i don't have ssl certificate-authentication interface outside port 443 command in my configuration. But if i put it in, i am unable to connect to ASA using HTTPS. But weird thing is i don't see ASA requesting for client certificate in server hello. It actually succeeds as per pcaps.

And it doesn't mean that SSL is inactive. You can actually connect to it using HTTPS. Please enable asdm and check out yourself.

I will look into it more later. Gotta go on another call:)

Regards,

Kanwal

Note: Please mark answers if they are helpful.