Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3566
Views
4
Helpful
3
Replies

AnyConnect/SSL using wrong certificate

Go to solution
erikorrsjo
Level 1
Level 1

‎01-28-2016 07:10 AM - edited ‎03-12-2019 12:12 AM

Hello

I have a Cisco ASA5508 and have set up for AnyConnect.

I have installed a GlobalSign certificate properly:

GOTFW001(config)# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group5 (1536-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
  Self-signed (RSA 2048 bits RSA-SHA256) certificate available
  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
  Interface internet: ASDM_TrustPoint1 (RSA 2048 bits RSA-SHA256)
Certificate authentication is not enabled

But when I connect to the portal through the internet interface I get certificate error and when checking it I can see that the self-signed certificate is used. Why is that? Anybody got any ideas?

Regards,

Erik

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Shivapramod M
Level 1
Level 1

‎01-28-2016 08:33 AM

Hi Erik,

Are you using the firewall version 9.4.1 or above. If yes then you will see that self signed certificate will be used. This is an expected  behaviour.

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Please refer the below documents.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

https://supportforums.cisco.com/discussion/12524736/asa-x-ios-941-anyconnect-windows-81-untrusted-vpn-server-blocked

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

 

View solution in original post

3 Replies 3

Go to solution
vincent.monnier
Level 1
Level 1

‎01-28-2016 08:12 AM

Dear Erik

Have you set in your configuration a command such as  : 

ssl trust-point theRightTrustPoint

Where theRightTrustPoint is the trust point for your GlobalSign certificate

Regards,

Vincent

0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1

‎01-28-2016 08:33 AM

Hi Erik,

Are you using the firewall version 9.4.1 or above. If yes then you will see that self signed certificate will be used. This is an expected  behaviour.

When the client sends an SSL hello packets, an elliptic curve-capable SSL negotiation is used in version 9.4, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint.  That's why the ASA is presenting the self-signed Cert "Self-signed (EC 256 bits ecdsa-with-SHA256)".

So To avoid this, we need  to remove the corresponding cipher suites using the ssl cipher command.
we can execute the following command so that only RSA based ciphers are negotiated (

ssl cipher tlsv1.2 custom "AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5"

Please refer the below documents.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa94/release/notes/asarn94.html

https://supportforums.cisco.com/discussion/12524736/asa-x-ios-941-anyconnect-windows-81-untrusted-vpn-server-blocked

Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

 

Go to solution
erikorrsjo
Level 1
Level 1

‎01-29-2016 12:05 PM

Thanks for the info, it helped!

BR

Erik

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card