ASA 5500x SSL secure renegotiation and forward secrecy

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-06-2017 01:41 PM - edited 03-12-2019 02:11 AM
While doing an SSL qualys scan on an ASA, no support for secure renegotiation and forward secrecy getting flagged.
I am striking out on finding info on this.
Anyone know how to fix this?
I currently have tlsv1.2 only enabled with only stronger ciphers allowed.
- Labels:
-
NGFW Firewalls
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-08-2017 05:10 AM
Those two discrepancies are not, to my knowledge, fixable on ASA platforms without breaking things for your clients. I haven't tested it again in about a year but the last time I tried, I had clients tell me their VPN stopped working.
If you want to give it a try...
For secure renegotiation, there is "anyconnect ssl rekey method none" in group-policy webvpn configuration mode. However, I've not had success with this setting raising the score with Qualys' checker.
For forward secrecy, try disabling all but ECDHE SSL ciphers in you ssl cipher list. You will also have to have an EC crypto key and that must have been used to sign your certificate signing reuqest and the certificate must be issued from a trusted root CA. You must also be using Anyconnect Apex licenses. (AC 4.x client is also required if you use this cipher type.)
https://supportforums.cisco.com/document/12943436/understanding-and-configuring-asa-ec-certificate-and-ec-ciphers
https://ltlnetworker.wordpress.com/2016/12/18/elliptic-curve-asa/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2021 08:07 AM
Regarding your comment about not having luck raising the score with the Qualys checker, that's expected. The change you've made to the group policy does not affect the web server's configuration and that's the only piece the Qualys checker tests.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2021 05:12 AM
The advice from 2017 is no longer current.
We can get rid of the Forward Secrecy issue for both ASA and FTD-based remote access SSL VPN. Please see this thread for details:
https://community.cisco.com/t5/vpn/anyconnect-perfect-forward-secrecy/td-p/3324415
Secure renegotiation is not supported and Cisco does not plan to change that. There was an enhancement request a while back and Cisco closed it.
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud62637
You can achieve a Qualys A- rating given the steps from the first link.
