11-09-2015 05:06 AM - edited 03-11-2019 11:51 PM
Hi,
the identity certificate on our ASA5545 (running 8.6 software) is due to expire soon. I understand the process to renew means obtaining a new certificate and installing it on the ASA.
So, I have obtained a new certificate from the CA (Entrust) and installed on the ASA.
However, when I try to bind the new certificate to my outside interface using ASDM I get the error:
"At least one encryption algorithm must be selected"
For the currently binded certificate, the list of available algorithms I have listed on ASDM are:
AES256-SHA1
AES128-SHA1
3DES-SHA1
RC4-SHA1
RC4-MD5
DES-SHA1
DHE-AES128-SHA1
DHE-AES256-SHA1
NULL-SHA1
And there is nothing on the list of Active Algorithms.
However, "show ssl" on the CLI gives the following:
show ssl
Accept connections using TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
OUTSIDE interface: Entrust_trustpoint_duetoexpire
So, I'm confused?
What should I be selecting for the available algorithms in order to bind the new certificate to the interface? Will there be any impact to existing connections? How do I revert to the previous certificate (still has a week left!) if there are any issues? (Can I simply choose to bind the old certificate to the interface again and all will be back as it was while we examine what went wrong?)
Any help would be appreciated!
Solved! Go to Solution.
11-09-2015 05:40 AM
Hi mitchen,
You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"
The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.
If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.
NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
11-09-2015 05:40 AM
Hi mitchen,
You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"
The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.
If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.
NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
11-09-2015 09:17 AM
Hi Dinesh,
that's great, thanks. That seems to have worked!
As a side topic - how would I actually go about checking the encryption algorithms being negotiated with the clients to determine whether RC4 and DES can indeed be disabled?
11-09-2015 11:28 AM
Hello mitchen,
Particularly, this message shows the algorithm which is negotiated:
%ASA-7-725012 Device chooses cipher: cipher_name for SSL session with clientinterface_name:IP_address/port
You can run "debug webvpn 255" or "debug webvpn anyconnect 255 " to check realtime log messages or setup a logging class to just get the specific message as follows:
logging enable
logging timestamp
logging list Anyconnect level informational class svc
logging list Anyconnect level informational class ssl
logging list Anyconnect message 725012
logging trap Anyconnect
logging host inside <syslog server IP>
logging buffer-size 1048576
logging buffered debugging
Regards,
Dinesh Moudgil
P.S. Please rate helpful posts.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: