Hi ,

Thanks a lot for sharing the question here . Unfortunately TLS1.1 and TLS1.2 are not available  for the legacy ASA models listed below :

5505
5510
5520
5540
5550

it is available on the ASA next generation firewalls  5500-X starting with the software version 9.3.2:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa93/release/notes/asarn93.html

"We now support TLS version 1.2 for secure message transmission for ASDM, Clientless SSVPN, and AnyConnect VPN."

Cheers.

Hi Mathew ,

For Certificates you have two types :

identity certificate   : A certificate that is issued to the device .

CA/Sub-CA certificates: A certificate authority that signs certificate for end points .

Since that you mentioned you have 4 certificates then i'm assuming that you have a chain of certificates . Now to install the certificates let us look at this example :

Root-CA-----Sub-CA1-----Sub-CA2---identity .

On cisco Routers and ASAs the certificate is installed in a containter that is called Trustpoint ,one trustpoint contains an identity certificate and another CA certificate Please see the following for the steps to install certificates :

1-if the CSR was generated on the router itself then :

a) authenticate the trustpoint (install the CA certificate) :

crypto pki authenticate <trustpoint name> 

<<paste the CA certificate encoded using Base64 PEM>>

b)Import the identity certificate :

crypto pki import <trustpoint name> certificates 

2- if the CSR was generated externally then most probably they provided you with a p12/pfx file . and in this case you need to use this command :

cry pki import trustpoint-name pkcs12 terminal pass 

you dont need to create the trustpoints, the router will do it automatically .

Finally, you need to configure the ssl gateway to user that trustpoint :

ssl trustpoint 

Moh

Charlie,

Several users have reported an issue similar to yours when upgrading to 9.3 and 9.4. Please see this thread for some workarounds (which are noted in the 9.4 release notes)

Hi Marvin, Thanks for the reply. I tried the ssl config and steps outlined but it didn't work unfortunately. I tried on 9.4 as well without success.

If we use anyconnect 3.1 the SSL VPN works successfully against 9.3.2 and 9.4, but only at TLS v1.0, and we're trying to get TLS v1.2 working. At least this allows us to upgrade the ASA and have a workaround that lets clients connect for the time being.

Thanks,

Charlie

Hi Charlie ,

Thank you very much for sharing your concerns .

I would like to start with the following  :

This is what have been added with 9.4 :

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

But you mentioned you upgraded to 9.3.2 which reminds me with this defect :

ASA 9.3.2 SSL doesn't work with error: %ASA-4-402123: CRYPTO:

Fore more info :

https://tools.cisco.com/bugsearch/bug/CSCus70693

You should see this in the logs :

%ASA-4-402123: CRYPTO: The ASA hardware accelerator encountered an error (Invalid PKCS Type, Pad, or Length, code= 0x1B) while executing the command PKCS1 v1.5 RSA Decrypt with CRT (> 1024 bits) (0x202)."

The following will be useful to get a closer look at what is happening :

1-  Packet captures on the ASA for SSL traffic between the client and the ASA  in pcap format .

will show what ciphers are we negotiating . what level of the ssl protocol we are reaching . which certs are being sent .

2- ASA logs .

3- Show ssl errors 

4- debug cry ca 255 //   to see if the client is really sending a cert to the ASA .

5- if you connect from the browser does it work ?

6- a Dart output from the client .

7- Does it work from a windows machine if you have it available .

Cheers.

Thanks Moh.

The pcap shows that the ASA sends its certificate to the client, but the client doesn't send its certificate back to the ASA. The ASA is choosing AES256-SHA as the cipher and the only protocol attempted is TLSv1.2.

The ASA logs/debug cry ca 255 backup the pcap information; the client isn't sending its certificate to the ASA and the ASA is negotiating AES256-SHA TLSv1.2.

I've installed the root and sub CA successfully so If I connect via a browser, the browser accepts the ASA certificate and the log in page is displayed. When I log in I get the Certificate Validation Failure message.

I've run a dart output on the client but I'm struggling to see anything useful - where should I be looking?

I don't have a windows machine available unfortunately.

Thanks,

Charlie

Hi Charlie  ,

if the client is not sending the certificate . Then let us see what is the ASA requesting :

you should see a certificate request sent by the ASA with a list of the distinguished names that it trusts .

Do you have the pcap captures?

Cheers.

Hi Mohammad

Unfortunately I wasn't able to get the captures today and can't get them until tomorrow (0630 UTC), and I'm guessing that this ask the expert feature will have closed before you get a chance to look at them?

Perhaps you could give me a couple of pointers on the following -

Can we negotiate a TLSv1.2 SSL VPN using RSA 2048 SHA1 certificates, or do we need to generate certificates using something like SHA256?

We're not using any connect profiles. I've read a post says that if profiles aren't used then the certificates need to have

Key Usage attributes: Digital Signature, Key Encipherment.

Enhanced Key Usage attributes: Client Authentication

I've done this on the client certificates but not the ASA certificate; do they need to be set on the ASA certificate?

The ASA isn't showing any errors, but the client logs say that no valid certificates can be found in the certificate store. If I downgrade the ASA then the certificates can be used to successfully form the VPN, so I'm at a loss as to why they are ok for TLSv1 but not TLSv1.2 so any other things you can suggest to try/investigate would be much appreciated!

Cheers,

Charlie

Hi Mazahir  ,

Thanks for the participation .  The discussion we are having here is for the vpn terminated on the ASA and it looks like in your case the vpn is passing through the ASA to the MS server .  I'm not a FW expert but i will try to highlight the few important points :

For SSL VPNs the port is 443 .

For IPSEC usually we deal with :

UDP 500  -- > Isakmp 

UDP 4500 -> Nat Traversal

IP protocol 50 - > ESP - Data tunneling 

You need to ensure that the server is statically natted on the ASA and that on your server/client NAt-T is enabled .

If that didn't help i suggest to post a thread  in the Firewall section .

Moh ,