Cisco Security Manager (4.9+) with ASA 9.4 ssl_error_no_cypher_overlap
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-23-2016 02:14 AM - edited 02-21-2020 05:44 AM
Hi,
with ASA Release Interim 9.4.2.6 or ASA 9.5.2+ it is not possible for us to use certificates signed from a custom CA (with RSA encryption).
Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption
2016-02-23T09:30:23+01:00 fw : %ASA-7-725008: SSL client management:192.168.200.1/65490 to 192.168.200.254/443 proposes the following 65 cipher(s)
2016-02-23T09:30:23+01:00 fw : %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
We have tried to eleminate the elliptic curve ciphers friends posted at
ssl server-version tlsv1.2
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.2 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point INTERMEDIATECA
The certificate/trustpoint was removed and imported again, applied again, nothing works, CSM/Firefox/Chrome is unable to cummicate "cannot negotiate security level, no shared cipher".
The only way to get this work is to do "no ssl trust-point INTERMEDIATECA", resulting in using a self signed certificate.
Is there some defect / changed behaviour in ASA Release 9.5 that prevents SSL communication with RSA encrypted certificates (the selfsigned certificate is RSA based too)

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-02-2016 02:32 AM
I had a similar problem. I looked at the cipher list the client listed in the logs and added some ECDHE-xxx ciphers to the ASA. It was successful:
ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:AES256-SHA:AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:AES256-SHA:AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"
Nov 11 2016 09:39:24: %ASA-6-725001: Starting SSL handshake with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 for TLS session
Nov 11 2016 09:39:24: %ASA-7-725010: Device supports the following 6 cipher(s)
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[4] : ECDHE-ECDSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[5] : AES256-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[6] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725008: SSL client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 proposes the following 53 cipher(s)
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[1] : RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[2] : RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[3] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[6] : DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[9] : DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[12] : EXP-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[17] : ECDHE-RSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[18] : AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[20] : DHE-DSS-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[22] : ECDHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[23] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[24] : DHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[25] : DHE-DSS-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[26] : ECDHE-ECDSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[27] : ECDHE-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[28] : DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[29] : EDH-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[30] : EDH-DSS-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[31] : ADH-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[32] : ADH-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[33] : ADH-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[34] : ECDHE-ECDSA-RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[35] : ECDHE-RSA-RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[36] : RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[37] : RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[38] : ADH-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[39] : DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[40] : EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[41] : EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[42] : ADH-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[43] : EXP-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[44] : EXP-ADH-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[45] : EXP-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[46] : EXP-EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[47] : EXP-EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[48] : EXP-ADH-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[49] : NULL-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[50] : ECDHE-ECDSA-NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[51] : ECDHE-RSA-NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[52] : NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[53] : NULL-MD5
Nov 11 2016 09:39:24: %ASA-7-725012: Device chooses cipher ECDHE-ECDSA-AES128-SHA256 for the SSL session with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443
Nov 11 2016 09:39:24: %ASA-6-725016: Device selects trust-point ASA-self-signed for client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443
Nov 11 2016 09:39:24: %ASA-6-725002: Device completed SSL handshake with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 for TLSv1.2 session
But in this case we used EC self-signed certificate. For your RSA certificate, you probably need to add ECDHE-RSA-AES128-SHA256 or similar.
