Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1878
Views
0
Helpful
6
Replies

ASA5512 self signed certificate +PCI compliance

johnaceti
Level 1
Level 1

‎07-20-2015 12:22 PM - edited ‎03-11-2019 11:18 PM

Trying to get  PCI compliance passed with the ASA5512.

I have 4 issues, some of them related:

SSL certificate deemed insecure - Apparently they do not pass SHA-1, they have no issue with it being self-signed, only that they want something higher than SHA1 which is my only option.

Public Key too small, - SSL cerificates with public keys of less than 2048 bits are more susceptible for man in the middle attacks. - Again, I cannot get 2048 or higher with self-signed.

SSL3 - This service supports SSLv3 Protocol has known cryptographic weakness and no longer meets definition of strong cryptography.

TLS1 - This service supports the use of TLSv1.0 protocol, the TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. TLSv10 no longer meets the definition of strong cryptography.  The 5512 only supports SSLv3 or TLSv1.0

So even if I go with a CA provider and get the 2048 and the SHA2, I will still have to contend with the TLS1 and SSLv3 issue. Anyone else pulling their hair out on this?

Running 9.something on the ASA code.

 

Labels:
0 Helpful
6 Replies 6

James Leinweber
Level 4
Level 4

‎07-20-2015 02:00 PM

I think you have upgrade to at least 9.3 series firmware to get TLSv1.2 support and the rest of the current PCI crypto compliance.  I'm using 3rd party certificates with 2048 bit keys on 9.2, but still only SHA1 hashes.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful

johnaceti
Level 1
Level 1
In response to James Leinweber

‎07-29-2015 06:00 AM

Ok so I am at 9.3.2(2) and got everything tweaked down to 2 issues now.

Just wondering now with the new sofware if it will let me do a Self Signed Cert using the higher SHA-2 or do I still have to go to an external CA?

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to johnaceti

‎07-29-2015 06:13 AM

For SHA-2 you need to use an external CA or generate a certificate with a tool like openSSL.

0 Helpful

johnaceti
Level 1
Level 1
In response to Karsten Iwen

‎07-30-2015 05:07 AM

Thanks Karsten but this seems rather odd since it is an X series with the latest code. Do you or anyone else here know if they will be releasing an update soon to allow the unit to do a Self Signed certificate that is deemed "Secure"?

 

0 Helpful

Karsten Iwen
VIP
VIP
In response to johnaceti

‎07-30-2015 05:38 AM

Really odd? For sure. But I'm pretty confident that they will implement it. The question is when it will be available ... ;-)

0 Helpful

Karsten Iwen
VIP
VIP

‎07-20-2015 03:44 PM

> SSL certificate deemed insecure - Apparently they do not pass SHA-1, they have no issue with it being self-signed, only that they want something higher than SHA1 which is my only option.

When you request a new certificate, it typically can be controlled by the enrollment-process if you get a SHA-1 or SHA256 certificate. Nowadays all CAs out there should be able to issue SHA256.

> Public Key too small, - SSL cerificates with public keys of less than 2048 bits are more susceptible for man in the middle attacks. - Again, I cannot get 2048 or higher with self-signed.

Also with self-signed certificates you can use 2048 Bit, but if generated on the ASA, they will use SHA-1. Be aware that the ASA doesn't allow certificates with more then 2048 Bit for SSL-VPNs

> SSL3 - This service supports SSLv3 Protocol has known cryptographic weakness and no longer meets definition of strong cryptography.

Can already be disabled with your ASA version. You could use the following code:

ssl server-version tlsv1-only
ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1

>TLS1 - This service supports the use of TLSv1.0 protocol, the TLSv1.0 protocol has known cryptographic weaknesses that can lead to the compromise of sensitive data within an encrypted session. TLSv10 no longer meets the definition of strong cryptography.  The 5512 only supports SSLv3 or TLSv1.0

As already mentioned, you need to upgrade to 9.3 to get support for TLS 1.2.

With ASA v9.3+ you can use the following config:

ssl cipher default custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
ssl cipher tlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA"
ssl dh-group group14

Because of some other shortcomings of the ASA, you don't get an "A+" in ssllabs.com ratings, but my ASAs (at least teh ones capable of running v9.3) all have an "A-"

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card