Re: Change SSL cipher suite in ASA

Cisco Freak · ‎12-21-2015

Hello,

I have an ASA 5525. I want to update the SSL cipher suite in that box to ECDHE-ECDSA-AES128-GCM-SHA256.

I am running the code asa904-37-smp-k8.bin in the box.

Can you please help me how to update the cipher?

CF

Marvin Rhoads · ‎12-21-2015

You need to have the TLSv1.2 support which was added in ASA software version 9.3(2).

You can check the available cipher types on your ASA with :

show ssl ciphers all

Once you have the right software level, you can specify the ciphers that are accepted with the "ssl cipher" configuration command as described in the command reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/S/cmdref3/s16.html#pgfId-1724385

johnlloyd_13 · ‎03-24-2021

hi marvin,

hope your well and staying safe!

just a question regarding ASA ciphers. our cyber team requires running TLSv1.2, therefore disable TLSv1 and TLSv1.1.

we run RA VPN. is this just a straight forward change? i.e. enable 'ssl cipher tlsv1.2'?

will this have any effect on other ASA cert (SSH, self sign cert/ASDM, etc)?

will this 'drop' RA VPN connections?

ciscoasa# show ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)
AES256-GCM-SHA384 (tlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2)
AES256-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)
AES128-GCM-SHA256 (tlsv1.2)
ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)
ECDHE-RSA-AES128-SHA256 (tlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2)
AES128-SHA256 (tlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)
RC4-SHA (tlsv1)
RC4-MD5 (tlsv1)
DES-CBC-SHA (tlsv1)
NULL-SHA (tlsv1)

ciscoasa# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Certificate authentication is not enabled

ciscoasa# conf t
ciscoasa(config)# ssl ?

configure mode commands/options:
certificate-authentication Enable client certificate authentication
cipher This is the ciphers to be used with SSL.
client-version The SSL/TLS protocol version to use when acting
as a client
dh-group This is the DH group to be used used with SSL.
ecdh-group This is the ECDH group to be used used with SSL.
encryption This is the encryption method(s) used with ssl.
The ordering of the algorithms specifies the
preference. DEPRECATED, use 'ssl cipher' instead.
server-version The minimum SSL/TLS protocol version to use when
acting as a server
trust-point Configure the ssl certificate trustpoint
ciscoasa(config)# ssl cipher ?

configure mode commands/options:
default Specify the set of ciphers for outbound connections
dtlsv1 Specify the ciphers for DTLSv1 inbound connections
tlsv1 Specify the ciphers for TLSv1 inbound connections
tlsv1.1 Specify the ciphers for TLSv1.1 inbound connections
tlsv1.2 Specify the ciphers for TLSv1.2 inbound connections

ciscoasa(config)# ssl cipher tlsv1.2

Marvin Rhoads · ‎03-25-2021

Johnlloyd,

Your clients should already be negotiating to the strongest mutually-supported ciphersuite. You can check them with "show vpn-session-db detail anyconnect"

Other than that, it is just a matter of removing the tls1 and tls1.1 support along with making sure tls1.2 support is in place.