03-10-2023 10:08 AM
Hello:
I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high
Any suggestions?
James
03-10-2023 10:15 AM
03-10-2023 10:23 AM
Thanks MHM for your quick reply, I think that document is talking about ssl server cipher suite, I am more concerning ssl client cipher suite. I need to have ssl client cipher suite to support ECDHE-xxx cipher, and I don't have a certificate on the ASA. Do I need to get a certificate to enable ECDHE-xxx ciphers?
Thanks
James
03-11-2023 05:07 AM
I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high
I take this both are running the same code - please confirm, ?
Can you post the below output from both devices :
show run all ssl
show ssl
show SSL ciphers all
03-13-2023 10:43 AM - edited 03-13-2023 10:47 AM
Hi, Balaji:
Thanks for your reply, there are the output
5515-01 output ===============
5515-01# sh run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group24
ssl ecdh-group group21
ssl trust-point SSLC1 Outside
ssl certificate-authentication fca-timeout 2
5515-01# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)
SSL ECDH Group: group21 (521-bit EC)
SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface Outside: SSLC1(RSA 2048 bits RSA-SHA256)
Certificate authentication is not enabled
5515-01# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2)
AES128-SHA256 (tlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
RC4-SHA (tlsv1)
RC4-MD5 (tlsv1)
DES-CBC-SHA (tlsv1)
NULL-SHA (tlsv1)
5515-02 output==================
5515-2# sh run all ssl
ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl dh-group group24
ssl ecdh-group group21
ssl trust-point SSLC2 Outside
ssl certificate-authentication fca-timeout 2
5515-2# sh ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)
SSL ECDH Group: group21 (521-bit EC)
SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface Outside: SSLC2 (RSA 2048 bits RSA-SHA256)
Certificate authentication is not enabled
5515-2# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
AES256-GCM-SHA384 (tlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
AES128-GCM-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-SHA256 (tlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2)
AES128-SHA256 (tlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
RC4-SHA (tlsv1)
RC4-MD5 (tlsv1)
DES-CBC-SHA (tlsv1)
NULL-SHA (tlsv1)
Thanks,
James
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide