Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
589
Views
0
Helpful
0
Replies

ASA Cut Through Proxy TLS Ciphers

Rob Pettigrew
Level 1
Level 1

‎06-12-2018 02:37 PM - edited ‎02-21-2020 07:52 AM

Cisco seems to have neglected their cut through proxy feature.  I am running ASA 9.8.2-28.  The cipher suites used on CTP do not match up with the ones I configured in ASA for everything else.  SSL labs gives me a failure on the URL we have configured for CTP for the following reason This server is vulnerable to the Return Of Bleichenbacher's Oracle Threat (ROBOT) vulnerability. Grade set to F.

 

These are the advertised cipher suites from my ASA/Anyconnect

TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS256

TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128

TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027)   ECDH secp256r1 (eq. 3072 bits RSA)   FS128

 

These are the advertised cipher suites from CTP

TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d)   WEAK256TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d)   WEAK256TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c)   WEAK128TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c)   WEAK128TLS_RSA_WITH_AES_256_CBC_SHA (0x35)   WEAK256TLS_RSA_WITH_AES_128_CBC_SHA (0x2f)   WEAK128

 

I was wondering if anyone else is seeing this issue or if someone from Cisco knows more about this. 

1 person had this problem
Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card