Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1342
Views
0
Helpful
3
Replies

MD5 signed Certificates not able to connect to ASA 9.8(2)28 !

bern81
Level 1
Level 1

‎11-09-2018 03:44 AM - edited ‎02-21-2020 08:27 AM

Hello,

 

We have machine certificates with MD5RSA signature Algorithm and SignatueHashAlogrithm MD5, with public key (RSA) 1024 bits on our employees PCs.

 

Those machines are able to connect RA anyconnect SSL VPN to our ASA 9.1(7)16 using AAA+Certificate authentication method.

The certificate has an Extended Key Usage= Client Authentication.

 

However when trying to connect to our new ASA 9.8(2)28, we get "certificate validation failure" message in anyconnect.

After running debug, we see the following message:

"No certificates received during the handshake with client Public:w.x.y.z/52494 to w.x.y.z/443 for DTLSv1 session".

We have enabled "certificate store override" in the xml profile but still same issue!

 

Can someone advise if MD5 signed certificates are still allowed on ASA9.8 or not?

 

Many thanks in advance

 

0 Helpful
3 Replies 3

venkat_n7
Level 1
Level 1

‎11-11-2018 07:24 PM

Hi,

as i know md5 is no more a secured hashing and not recommended. it looks like you have to use SHA.  

hope this should help you.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/vpn/asa-98-vpn-config/vpn-params.html#ID-2443-000004b5

Please rate comments and support
with regards,
Venkat
0 Helpful

Dennis Mink
VIP Alumni
VIP Alumni

‎11-11-2018 09:53 PM

I advise you to steer away from MD5 all together. is usefull for integrity checks but not in a security context.

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

bern81
Level 1
Level 1
In response to Dennis Mink

‎11-12-2018 12:53 AM

Hello Dennis and Venkrat,

 

Many thanks for your reply,

 

I know that MD5 is not anymore a secure Hashing, but i have the ugly fact that now all employees Laptops (Thousands) have this MD5 signed certificates and i am trying to find a temporary workaround until we roll-out new certificate that are SHA256 signed.

The question that i would like to know if MD5 signed certificates are still supported on new versions like ASA 9.8 or not.

 

Venkrat sent me the list of SSL Ciphers supported in 9.8.

What i am trying to figure out if the SSL cipher suites are related to the signature algorithm of the digital certificate or just related to what the client's PC can support?

 

Please advise

 

 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card