12-10-2017 07:37 PM - edited 02-21-2020 06:56 AM
Hi,
Based on result penetratiion test i have to disable weak cipher on ASA cisco 5516.
SSL weak cipher
Recomend disable : TLS_RSA_WITH_3DES_EDE_CBC_SHA , TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA
May i know the command to disable and the impact disable the SSL above.
12-10-2017 08:21 PM
12-10-2017 10:23 PM
I use the following commands (along the lines of what's explained in the link provided by Francesco):
ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256" ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256" ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
Note that if you use ASDM your Java will need to have the JCE strong crypto libraries to be able to connect to the ASA following implementation of that hardening configuration.
That's about the only impact unless you have clients with VERY old browsers trying to use your SSL VPN portal on thee ASA. Any relatively modern browser (i.e. from the last 3-4 years onward) should connect with no issue.
12-12-2017 01:23 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide