Showing results for 
Search instead for 
Did you mean: 

Cisco 4431 - Enabling TLS 1.2 - RSA keypair or ECC keypair

Ren Geldenhuys

I am trying to setup SSL encrypted voice with TLS 1.2 and SRTP to 3rd party platform, via public internet, on Cisco ISR 4431. I have found some guides on setting the TLS and SRTP, but I am falling at the first hurdle - generating the keypair associated to the crypto trustpoint. Can you ONLY use EC keypair for TLS 1.2 (and not RSA keypair) or is it that EC keypair can ONLY support TLS 1.2 (and RSA keypair can do 1.0, 1.1 and 1.2)?

Internal CA is unable to issue certs, based on ECC keysize, as it is too small. So my only option is to go external, at a cost. Before I try that I need to be 100% sure that the cert MUST be ECC.

Ren Geldenhuys
2 Replies 2

Peter Koltl
Rising star
Rising star

There are some valid ciphers for RSA keypair in TLSv1.2

ASA# show ssl cipher high
ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
AES256-GCM-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-ECDSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
ECDHE-RSA-AES256-SHA384 (tlsv1.2, dtlsv1.2)
DHE-RSA-AES256-SHA256 (tlsv1.2, dtlsv1.2)
AES256-SHA256 (tlsv1.2, dtlsv1.2)

Ren Geldenhuys

Thanks for the information Peter. It ended up being the case that ECC ONLY supports 1.2 and RSA does 1.1 through 1.3. I ended up with external device certificates as the 3rd party's revocation policy required access to the CA cert for validation and authentication. Learnt a lot about crypto in the last 2 weeks

Ren Geldenhuys
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers