cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1099
Views
1
Helpful
4
Replies

ASA 5515-X ssl ciphers

jameslee43329
Level 1
Level 1

Hello:

I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high

Any suggestions?

James

4 Replies 4

Thanks MHM for your quick reply, I think that document is talking about ssl server cipher suite, I am more concerning ssl client cipher suite. I need to have ssl client cipher suite to support ECDHE-xxx cipher, and I don't have a certificate on the ASA. Do I need to get a certificate to enable ECDHE-xxx ciphers?

 

Thanks

 

James

balaji.bandi
Hall of Fame
Hall of Fame
I have two ASA 5515-X running 9.8(4)35, one of them support ECDHE-xxx cipher, but the other one does not show ECDHE-XXX ciphers, when I ran show ssl cipher high

I take this both are running the same code - please confirm, ?

Can you post the below output from both devices :

show run all ssl

show ssl

show SSL ciphers all

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hi, Balaji:

Thanks for your reply, there are the output

5515-01 output ===============

5515-01# sh run all ssl

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"

ssl cipher tlsv1 medium

ssl cipher tlsv1.1 medium

ssl cipher tlsv1.2 medium

ssl cipher dtlsv1 medium

ssl dh-group group24

ssl ecdh-group group21

ssl trust-point SSLC1 Outside

ssl certificate-authentication fca-timeout 2

5515-01# show ssl

Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater

Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater

SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)

SSL ECDH Group: group21 (521-bit EC)

 

SSL trust-points:

  Self-signed (RSA 2048 bits RSA-SHA256) certificate available

  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available

  Interface Outside: SSLC1(RSA 2048 bits RSA-SHA256)

Certificate authentication is not enabled

5515-01# show ssl ciphers all

These are the ciphers for the given cipher level; not all ciphers

are supported by all versions of SSL/TLS.

These names can be used to create a custom cipher list

  DHE-RSA-AES256-SHA256 (tlsv1.2)

  AES256-SHA256 (tlsv1.2)

  DHE-RSA-AES128-SHA256 (tlsv1.2)

  AES128-SHA256 (tlsv1.2)

  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  RC4-SHA (tlsv1)

  RC4-MD5 (tlsv1)

  DES-CBC-SHA (tlsv1)

  NULL-SHA (tlsv1)

5515-02 output==================

5515-2# sh run all ssl

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl cipher default custom "DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:AES256-SHA"

ssl cipher tlsv1 medium

ssl cipher tlsv1.1 medium

ssl cipher tlsv1.2 medium

ssl cipher dtlsv1 medium

ssl dh-group group24

ssl ecdh-group group21

ssl trust-point SSLC2 Outside

ssl certificate-authentication fca-timeout 2

5515-2# sh ssl

Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater

Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater

SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)

SSL ECDH Group: group21 (521-bit EC)

 

SSL trust-points:

  Self-signed (RSA 2048 bits RSA-SHA256) certificate available

  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available

  Interface Outside: SSLC2 (RSA 2048 bits RSA-SHA256)

Certificate authentication is not enabled

5515-2# show ssl ciphers all

These are the ciphers for the given cipher level; not all ciphers

are supported by all versions of SSL/TLS.

These names can be used to create a custom cipher list

  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)

  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)

  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)

  AES256-GCM-SHA384 (tlsv1.2)

  ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)

  ECDHE-RSA-AES256-SHA384 (tlsv1.2)

  DHE-RSA-AES256-SHA256 (tlsv1.2)

  AES256-SHA256 (tlsv1.2)

  ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)

  ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)

  DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)

  AES128-GCM-SHA256 (tlsv1.2)

  ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)

  ECDHE-RSA-AES128-SHA256 (tlsv1.2)

  DHE-RSA-AES128-SHA256 (tlsv1.2)

  AES128-SHA256 (tlsv1.2)

  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  RC4-SHA (tlsv1)

  RC4-MD5 (tlsv1)

  DES-CBC-SHA (tlsv1)

  NULL-SHA (tlsv1)

 

Thanks,

James

Review Cisco Networking for a $25 gift card