Cisco 4431 - Enabling TLS 1.2 - RSA keypair or ECC keypair

Ren Geldenhuys · ‎07-29-2022

I am trying to setup SSL encrypted voice with TLS 1.2 and SRTP to 3rd party platform, via public internet, on Cisco ISR 4431. I have found some guides on setting the TLS and SRTP, but I am falling at the first hurdle - generating the keypair associated to the crypto trustpoint. Can you ONLY use EC keypair for TLS 1.2 (and not RSA keypair) or is it that EC keypair can ONLY support TLS 1.2 (and RSA keypair can do 1.0, 1.1 and 1.2)?

Internal CA is unable to issue certs, based on ECC keysize, as it is too small. So my only option is to go external, at a cost. Before I try that I need to be 100% sure that the cert MUST be ECC.

Ren Geldenhuys

Peter Koltl · ‎08-10-2022

There are some valid ciphers for RSA keypair in TLSv1.2

ASA# show ssl cipher high
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2, dtlsv1.2)
AES256-SHA256 (tlsv1.2, dtlsv1.2)

Ren Geldenhuys · ‎08-10-2022

Thanks for the information Peter. It ended up being the case that ECC ONLY supports 1.2 and RSA does 1.1 through 1.3. I ended up with external device certificates as the 3rd party's revocation policy required access to the CA cert for validation and authentication. Learnt a lot about crypto in the last 2 weeks

Ren Geldenhuys