Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11452
Views
20
Helpful
3
Replies

ASA 5500x SSL secure renegotiation and forward secrecy

Ralphy006
Level 1
Level 1

‎04-06-2017 01:41 PM - edited ‎03-12-2019 02:11 AM

While doing an SSL qualys scan on an ASA, no support for  secure renegotiation and forward secrecy getting flagged.

I am striking out on finding info on this.

Anyone know how to fix this?

I currently have tlsv1.2 only enabled with only stronger ciphers allowed.

5 people had this problem
Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-08-2017 05:10 AM

Those two discrepancies are not, to my knowledge, fixable on ASA platforms without breaking things for your clients. I haven't tested it again in about a year but the last time I tried, I had clients tell me their VPN stopped working.

If you want to give it a try...

For secure renegotiation, there is "anyconnect ssl rekey method none" in group-policy webvpn configuration mode. However, I've not had success with this setting raising the score with Qualys' checker.

For forward secrecy, try disabling all but ECDHE SSL ciphers in you ssl cipher list. You will also have to have an EC crypto key and that must have been used to sign your certificate signing reuqest and the certificate must be issued from a trusted root CA. You must also be using Anyconnect Apex licenses. (AC 4.x client is also required if you use this cipher type.)

https://supportforums.cisco.com/document/12943436/understanding-and-configuring-asa-ec-certificate-and-ec-ciphers

https://ltlnetworker.wordpress.com/2016/12/18/elliptic-curve-asa/

ph0enix
Level 1
Level 1
In response to Marvin Rhoads

‎04-10-2021 08:07 AM

Regarding your comment about not having luck raising the score with the Qualys checker, that's expected.  The change you've made to the group policy does not affect the web server's configuration and that's the only piece the Qualys checker tests.   

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to ph0enix

‎04-11-2021 05:12 AM

The advice from 2017 is no longer current.

We can get rid of the Forward Secrecy issue for both ASA and FTD-based remote access SSL VPN. Please see this thread for details:

https://community.cisco.com/t5/vpn/anyconnect-perfect-forward-secrecy/td-p/3324415

Secure renegotiation is not supported and Cisco does not plan to change that. There was an enhancement request a while back and Cisco closed it.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud62637

You can achieve a Qualys A- rating given the steps from the first link.

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card