Re: Firepower Device Manager ERR_SSL_VERSION_OR_CIPHER_MISMATCH

Raffael · ‎12-30-2018

Hello all,

I am running Firepower Threat Defense 6.2.3.7 on a ASA 5506-X at home and i recently getting these error messages when trying to connect via chrome to the Device Manager (ERR_SSL_VERSION_OR_CIPHER_MISMATCH).

I already checked via show ssl-protocol and show crypto ssl ciphers that the ciphers available are be fine. There should be several overlapping ciphers chrome could use.

Next i connected thorugh a virtual machine running Windows 7 to the device, which also got me the warning but at least i could continue configuring. I then checked the certificate offered by the site, which confused me even a bit more. The page shows me a self-signed certificate from ciscoasa. My device isnt called like this, and i cannot find this certificate in any configuration. I have imported an own certificate for the FTD but cannot find an option to tell the FTD using this certificate instead of that ciscoasa certificate.

So maybe someone can help me here with my two questions:

1. Why are there no ciphers overlapping? Base license is registered via smart licensing but i am not sure if that is enough

2. How can i change that certificate for Firepower Device Manager?

Thanks in advance

Regards

Raffael

Marvin Rhoads · ‎12-30-2018

I'm not sure why you are getting the cipher mismatch. I would check a packet capture to examine the SSL negotiation in detail.

As far as adding the external certificate, you do that in the RA VPN setup wizard as shown below. Select "Create new internal certificate" (a bit misleading) and you will be given the option to upload one:

For detailed instructions you can go to:

https://<your FDM address>/#/help/t_Uploading_Internal_and_Internal_CA_Certificates.html

Raffael · ‎12-31-2018

Hi Marvin,

thanks for your response, and happe new year:)

The problem is not to upload a certificate to FTD. I did that at objects management already, but this certificate isn't used by the Firepower Device Manager Webpage. It is showing me a certificate from "CN=ciscoasa" which i cannot find anywhere. Not within FTD and not in the running config.

Regards

Raffael

Mohammed al Baqari · ‎12-30-2018

I think the problem is in your certificate. Even if ASA/FTD has the right
ciphers enabled, it should be supported by the certificate public key.

In your chrome://flags/ try to disable TLS1.3 and see if it works and make
sure that tls1.2 is enabled. Did you upgrade your chrome recently because I
heard in new versions they stopped the support for lower TLS by default.

Marvin Rhoads · ‎12-31-2018

TLS 1.2 is the most commonly used in the Internet and should be supported by any browser.

I am using Chrome Version 71.0.3578.98 (current latest release) and it negotiated TLS 1.2 fine with FDM on my ASA 5506-X (running FTD 6.2.3.4 and using the factory default self-signed certificate).

Mohammed al Baqari · ‎12-31-2018

Thanks Marvin for confirmation

Raffael · ‎12-31-2018

Hello, and happy new year to both of you,

I tried to disable TLS1.3 with no effect. My chrome version is 71.0.3578.98 and FTD is also up to date (maybe that is the problem). Unfortunately i didnt have time to look at that problem right when it occured the first time, so i don't know the exact time and possible causes for it.

I think the certificate might be the problem, ye, but i still don't know how to change the Firepower Device Manger Web Service certificate. Any clues here.

Guess i am going to check wireshark soon.

Regards

Raffael

Raffael · ‎12-31-2018

Hello, and happy new year to both of you,

I tried to disable TLS1.3 with no effect. My chrome version is 71.0.3578.98 and FTD is also up to date (maybe that is the problem). Unfortunately i didnt have time to look at that problem right when it occured the first time, so i don't know the exact time and possible causes for it.

I think the certificate might be the problem, ye, but i still don't know how to change the Firepower Device Manger Web Service certificate. Any clues here.

Guess i am going to check wireshark soon.

Regards

Raffael