cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2745
Views
0
Helpful
0
Replies

Cisco ASA with 9.12-4-xx: SSL Ciphers Custom changes back to medium

Simon.W
Level 1
Level 1

Cisco ASA 5512-x with 9.12-4-37 in a HA-config.
I have seen this problem on ASA  5585-X with 9.12-xx-xx

 

When I use this following command on my ASA, it works problem less:
ssl cipher tlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384
ssl cipher dtlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384


I can do a audit/scan that it works.

 

Diffie-Hellman group to be used with SSL: Group24
ECDH group to be used with SSL: Group20

Have also tested ECDH group: Group24

 

The problem is after reload it goes back to:
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1.2 medium


If I just use: ssl cipher tlsv1.2 high and ssl cipher dtlsv1.2 high, there is no problem.
But I don't want to use the lowest ciphers in the high


If do:
ASA(config)# sh ssl ciphers all
These are the ciphers for the given cipher level; not all ciphers
are supported by all versions of SSL/TLS.
These names can be used to create a custom cipher list
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2, dtlsv1.2)
AES256-SHA256 (tlsv1.2, dtlsv1.2)
ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES128-GCM-SHA256 (tlsv1.2, dtlsv1.2)
AES128-GCM-SHA256 (tlsv1.2, dtlsv1.2)
ECDHE-ECDSA-AES128-SHA256 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES128-SHA256 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES128-SHA256 (tlsv1.2, dtlsv1.2)
AES128-SHA256 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2)
DES-CBC-SHA (tlsv1)

The ciphers are valid for custom value.

I get this message during reload via console:
..ERROR: Invalid version/level combination: no compatible ciphers found
ERROR: Unable to update ciphers.
*** Output from config line 1274, "ssl cipher tlsv1.2 custo..."
ERROR: Invalid version/level combination: no compatible ciphers found
ERROR: Unable to update ciphers.
*** Output from config line 1276, "ssl cipher dtlsv1.2 cust..."

Anyone that have this issue or know a what might be the problem?

I hope its just some bad config, I don't want to make TAC-case for simple miss-configuration..

If I have posted this at wrong place, let me know.


_Update 2021-12-05_
I have done some more testing and found that those work.

ssl cipher tlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256
ssl cipher dtlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256

——————-
ssl cipher tlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256
ssl cipher dtlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256
——————-
ssl cipher tlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256
ssl cipher dtlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA256
——————-

The following dosn’t work, unless I include “DHE-RSA-AES256-SHA256”

ssl cipher tlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA384
ssl cipher dtlsv1.2 custom ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA384
——————-
ssl cipher tlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
ssl cipher dtlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384
——————-
ssl cipher tlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA384
ssl cipher dtlsv1.2 custom ECDHE-ECDSA-AES256-GCM-SHA384,ECDHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-GCM-SHA384,DHE-RSA-AES256-SHA384
——————-
Have I missed something in the Whitepapers, why does DHE-RSA-AES256-SHA256 be included in the custom string? 

Why does does it fallback to the default Medium and not High?

In most cases there is no big deal in HA-setup, unless there is a power failure or this is missed during reboot/upgrade. 

 

0 Replies 0
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: