cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


705
Views
0
Helpful
3
Replies
Explorer

"At least one encryption algorithm must be selected" error when trying to bind SSL certifcate to ASA5545 interface

Hi,

the identity certificate on our ASA5545 (running 8.6 software) is due to expire soon.  I understand the process to renew means obtaining a new certificate and installing it on the ASA.

So, I have obtained a new certificate from the CA (Entrust) and installed on the ASA.

However, when I try to bind the new certificate to my outside interface using ASDM I get the error:

"At least one encryption algorithm must be selected"

For the currently binded certificate, the list of available algorithms I have listed on ASDM are:

AES256-SHA1

AES128-SHA1

3DES-SHA1

RC4-SHA1

RC4-MD5

DES-SHA1

DHE-AES128-SHA1

DHE-AES256-SHA1

NULL-SHA1

And there is nothing on the list of Active Algorithms.

However, "show ssl" on the CLI gives the following:

show ssl
Accept connections using TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
SSL trust-points:
OUTSIDE interface:  Entrust_trustpoint_duetoexpire

So, I'm confused?


What should I be selecting for the available algorithms in order to bind the new certificate to the interface?  Will there be any impact to existing connections?  How do I revert to the previous certificate (still has a week left!) if there are any issues? (Can I simply choose to bind the old certificate to the interface again and all will be back as it was while we examine what went wrong?)

Any help would be appreciated!

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi mitchen,

Hi 

You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"

The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.

If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.


NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

3 REPLIES 3
Cisco Employee

Hi mitchen,

Hi 

You have to configure atleast one encryption algo to allow the SSL handshake.
The show ssl output shows that you have the following algo's configured
rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Perhaps you can use the same alogs if you do not wish to have any impact and enable them via the command
"ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1"

The encryption algo varies from one endpoint to another i.e. older windows devices used RC4 algo and DES as well. If you wish to dig deeper , then you can check the logs and see the encryption algo being negotiated with the clients and just set them accordingly.

If you wish to revert to previous certificate , you can run the command
ssl trust-point Entrust_trustpoint_duetoexpire OUTSIDE
and this will associate the trustpoint mapped with older certificate to OUTSIDE interface.


NOTE: If you do not have older windows version, then you can disable RC4 and DES algos as they are not much secure.

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Explorer

Hi Dinesh,

Hi Dinesh,

that's great, thanks.  That seems to have worked!

As a side topic - how would I actually go about checking the encryption algorithms being negotiated with the clients to determine whether RC4 and DES can indeed be disabled?

Cisco Employee

Hello mitchen,

Hello mitchen,

Particularly, this message shows the algorithm which is negotiated:
%ASA-7-725012 Device chooses cipher: cipher_name for SSL session with clientinterface_name:IP_address/port

You can run "debug webvpn 255" or "debug webvpn anyconnect 255 " to check realtime log messages or setup a logging class to just get the specific message as follows:
logging enable
logging timestamp
logging list Anyconnect level informational class svc
logging list Anyconnect level informational class ssl
logging list Anyconnect message 725012

logging trap Anyconnect
logging host inside <syslog server IP>
logging buffer-size 1048576
logging buffered debugging

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.