Solved: Sweet32 _CVE-2016-2183 (Sweet32)_ASA 5525X_SSL Configuration

NDP · ‎04-08-2020

There is a vulnerability reported # CVE-2016-2183 (Sweet32). DES should be removed as per
bug # CSCvb24585

current config on ASA 5525X :-
-----------------------------
ssl cipher default custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA"

resolution as per bug search :-***configure ciphers without DES and config as below***
------------------------
ssl server-version tlsv1.1
ssl client-version tlsv1.1
ssl cipher default fips
ssl cipher tlsv1 fips
ssl cipher tlsv1.1 fips
ssl cipher tlsv1.2 fips
ssl cipher dtlsv1 fips

I would like to delete existing 3 lines as stated above and add statements specified under resolution. would like to check if that will cause any problems. This 5525x is providing anyconnect VPN to users.

Could someone advise.

Marvin Rhoads · ‎04-08-2020

Making the change you mentioned shouldn't cause problems for your clients - unless you possibly have a really old AnyConnect 3.x version that they are using.

So check first that your ASA is deploying AnyConnect 4.x (the latest 4.8 is recommended) and you should be fine.

View solution in original post

Marvin Rhoads · ‎04-08-2020

Making the change you mentioned shouldn't cause problems for your clients - unless you possibly have a really old AnyConnect 3.x version that they are using.

So check first that your ASA is deploying AnyConnect 4.x (the latest 4.8 is recommended) and you should be fine.

NDP · ‎04-08-2020

Thank you Marvin :-)