Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
13685
Views
5
Helpful
7
Replies

Check the status of SSL

Go to solution
wfqk
Level 5
Level 5

‎06-16-2015 11:30 AM - edited ‎03-11-2019 11:07 PM

Hi I want to confirm the status of SSL in ASA. I used two commands to do that. But it looks like that the two commands got me two different results. First command show run all ssl tells some version etc, but second command show ssl tells Certificate authentication is not enabled. Any one can explain it for me ? Thank you 

 

COV/pri/act# sh run all ssl
ssl server-version any
ssl client-version any
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
ssl certificate-authentication fca-timeout 2


COV/pri/act# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1
No SSL trust-points configured
Certificate authentication is not enabled

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to wfqk

‎06-16-2015 02:03 PM

Hi,

No it is not. Only client certificate authentication is not enabled which is an optional step in SSL handshake. You can enable it if you want a user to connect to ASA via https be required to authenticate itself. You can test this by enabling HTTPS/ASDM access on an interface. You would see that if ssl certificate-authentication is enabled and client is trying to connect without presenting certificate, it won't be able to connect.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to wfqk

‎06-16-2015 02:26 PM

Hi,

I just tested it and i am able to connect when i don't have ssl certificate-authentication interface outside port 443 command in my configuration. But if i  put it in, i am unable to connect to ASA using HTTPS. But weird thing is i don't see ASA requesting for client certificate in server hello. It actually succeeds as per pcaps.

 

And it doesn't mean that SSL is inactive. You can actually connect to it using HTTPS. Please enable asdm and check out yourself.

 

I will look into it more later. Gotta go on another call:)

Regards,

Kanwal

Note: Please mark answers if they are helpful.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee

‎06-16-2015 01:14 PM

Hi,

ssl server-version

To set the minimum protocol version for which the ASA will negotiate an SSL/TLS connection, use the ssl server-version command in global configuration mode. To revert to the default, any, use the no form of this command. 

ssl client-version

To specify the SSL/TLS protocol version that the ASA uses when acting as a client, use the ssl client-version command in global configuration mode. 

ssl certificate-authentication

To enable client certificate authentication for backwards compatibility for versions previous to 8.2(1), use the ssl certificate-authentication command in global configuration mode

Once you enable client certificate authentication, you will the below result.

N18-ASA5500-1(config)# sh ssl
Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to TLSv1
Start connections using TLSv1 and negotiate to TLSv1
Enabled cipher order: rc4-sha1 dhe-aes128-sha1 dhe-aes256-sha1 aes128-sha1 aes256-sha1 3des-sha1
Disabled ciphers: des-sha1 rc4-md5 null-sha1
No SSL trust-points configured
Certificate authentication:
  outside interface: port 443

SSL trustpoints are needed to bind the certificates and use them for vpn, anyconnect etc. You bind trustpoints with tunnel groups.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
wfqk
Level 5
Level 5
In response to Kanwaljeet Singh

‎06-16-2015 01:39 PM

Thank you so much for your reply. Can you take a look at the below.

It show SSL trust-points:  outside interface: GoDaddy_TP, but Certificate authentication is not enabled

Do you think the SSL is active ? 

 

--------------------------------------------

 

COFW/pri/act# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

SSL trust-points:

  outside interface: GoDaddy_TP

Certificate authentication is not enabled

 

COFW/pri/act# sh run ssl

ssl trust-point GoDaddy_TP outside

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to wfqk

‎06-16-2015 01:39 PM

Hi,

That has nothing to do with SSL being enabled or not but client cert authentication as shown above.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful

Go to solution
wfqk
Level 5
Level 5
In response to Kanwaljeet Singh

‎06-16-2015 01:58 PM

You mean the below SSL is inactive, right ?

 

COFW/pri/act# sh ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1

Start connections using SSLv3 and negotiate to SSLv3 or TLSv1

Enabled cipher order: rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1

Disabled ciphers: des-sha1 rc4-md5 dhe-aes128-sha1 dhe-aes256-sha1 null-sha1

SSL trust-points:

  outside interface: GoDaddy_TP

Certificate authentication is not enabled

 

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to wfqk

‎06-16-2015 02:03 PM

Hi,

No it is not. Only client certificate authentication is not enabled which is an optional step in SSL handshake. You can enable it if you want a user to connect to ASA via https be required to authenticate itself. You can test this by enabling HTTPS/ASDM access on an interface. You would see that if ssl certificate-authentication is enabled and client is trying to connect without presenting certificate, it won't be able to connect.

Regards,

Kanwal

Note: Please mark answers if they are helpful.

Go to solution
wfqk
Level 5
Level 5
In response to Kanwaljeet Singh

‎06-16-2015 02:23 PM

Thank you so much for your explanation.

Can we say it like this:

The successful connection requires several things. One is certificate user present, another is what ? 

So, as long as we see Certificate authentication is not enabled, we can think the SSL is inactive, right ? 

0 Helpful

Go to solution
Kanwaljeet Singh
Cisco Employee
Cisco Employee
In response to wfqk

‎06-16-2015 02:26 PM

Hi,

I just tested it and i am able to connect when i don't have ssl certificate-authentication interface outside port 443 command in my configuration. But if i  put it in, i am unable to connect to ASA using HTTPS. But weird thing is i don't see ASA requesting for client certificate in server hello. It actually succeeds as per pcaps.

 

And it doesn't mean that SSL is inactive. You can actually connect to it using HTTPS. Please enable asdm and check out yourself.

 

I will look into it more later. Gotta go on another call:)

Regards,

Kanwal

Note: Please mark answers if they are helpful.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card