Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1631
Views
0
Helpful
0
Replies

SSLLabs indicates CBC ciphers in use while not configured on ASA

david9young
Level 1
Level 1

‎11-06-2019 01:02 PM - edited ‎02-21-2020 09:40 AM

Running 9.9(2)52 with fips enabled.  TLS is set to 1.2 (DH group 24 and ECDH group 20) with a subset of the Cisco "high" ciphers configured.  SSLlabs and other tools still indicate the following CBC ciphers are enabled:

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp384r1 (eq. 7680 bits RSA) FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK

 

#show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS)
SSL ECDH Group: group20 (384-bit EC)

SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface vpn-outside: GoDaddy-PortalOTN-Exp2021 (RSA 2048 bits RSA-SHA256)
Interface vpn-inside: ASDM_Launcher_Access_TrustPoint_0 (RSA 2048 bits RSA-SHA256)
VPNLB interface vpn-inside: ASDM_Launcher_Access_TrustPoint_0 (RSA 2048 bits RSA-SHA256)
Certificate authentication is not enabled

 

# show ssl ciphers
Current cipher configuration:
default (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256 -SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:AES256-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
tlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256 -SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256:AES256-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
dtlsv1 (fips):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA

 

What more needs to be done to disable these weak ciphers?

4 people had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card