Re: TLS 1.0 suites in server-preferred order - ssl encryption

uzair1980 · ‎05-22-2020

Hi,

ASA Software Version 9.1(7)23

Cisco ASA 5520

We ran a test for our VPN firewall on Qualys website and it showed some week configuration points. i.e. TLS1.2 is not enable TLS1.0 is enable. I understand TLS1.2 is not supported in this version.

Under the Cipher Suites TLS 1.0 (suites in server-preferred order) section it gives:

TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK 256
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128

I was expecting that when I do the show run i would see selected protocol in order. But get no match

#show run | i ssl encryption

Used search feature in notepad, same thing.

I see that tls1.2 support starts from version 9.3 but in software download page of ASA5520, the last update was back in 2018 and it was 9.1(7)

This means new hardware is needed to use tls1.2?

How do I check currently configured protocols and how to change it to get good ratings in Qualys ssllab test?

Thanks

Rob Ingram · ‎05-22-2020

Hi,

What hardware are you using? You should consider upgrading to the latest supported version, which supports TLS 1.2 and DTLS 1.2, which is any version from 9.10.

If you wish to get a good score, you should consider disabling TLS 1.0/1.1 and just use TLS/DTLS 1.2.

You can specify the ciphers as below:-

ssl server-version tlsv1.2 dtlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"

HTH

uzair1980 · ‎05-22-2020

This is Cisco ASA 5520. I know this is pretty old and not supported any more. Before I consider to make changes to protocol or OS version, i was looking where these are defined, either in ASDM or CLI. That i can't find. Google says that I should see, for an example, "

ssl encryption aes128-sha1 aes256-sha1 des-sha1"

but in my case this statement is not in config.

Rob Ingram · ‎05-22-2020

The exact command maybe different but the syntax on newer ASA software would be:-

ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA" potentially on older code it would be ssl encryption ......you put the custom ciphers you wish to use in " ".

You can find the ciphers supports by TLS1 as below.

ASA-1(config)# show ssl ciphers
Current cipher configuration:
default (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
DES-CBC3-SHA
tlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256

ASA-1(config)# ssl cipher tlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"

HTH

uzair1980 · ‎05-22-2020

# show run | i cipher
<empty>

(config)# ssl cipher ?
ERROR: % Unrecognized command

I see that tls 1.2 support starts from 9.3 but in software download page of 5520, the last update was back in 2018 and it was 9.1(7)

This means new hardware is needed to use tls1,2

Rob Ingram · ‎05-22-2020

Like I said, potentially on older software the command would start ssl encryption and you put the custom ciphers you wish to use in " " like I demonstrated above

HTH