Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4510
Views
10
Helpful
2
Replies

Cisco ASA - Trying to get an A+ on htbridge.com

Go to solution
morabusa
Level 1
Level 1

‎11-04-2019 03:49 AM

Hello all,

 

I am trying to get an A+ in the following website: https://www.htbridge.com/ssl/ for a SSL webvpn domain configured on an ASA FW. For the moment I am just able to get an A and I am getting the following "Weakness" according to this domain scanner (I have also attached a image with more detailed explanation about the weakness).VPN and AnyConnect

 

** Server does not support OCSP Stapling

I have found this topic in this forum but without answers: https://community.cisco.com/t5/vpn-and-anyconnect/asa-support-for-ocsp-stapling/td-p/2917089

DO you know if the ASA supports OSCP Stapling at any version?


** Bo support of TLSv1.3

I have not found anything on Internet concerning the TLSv1.3 support, just this topic where someone said that the ASA should support it since 9.3+ version: https://community.cisco.com/t5/vpn-and-anyconnect/asa-and-tls-1-3/td-p/2856689

My ASA is on version 9.4, but I am still getting this error. Can you please confirm which version I need to have TLSv1.3 support?.


** Server does not provide HSTS

According to this topic, I need ASA version 9.8(2) to solve this issue: https://community.cisco.com/t5/vpn-and-anyconnect/http-strict-transport-security-on-asa/td-p/3060653

Can anyone please confirm if this version has fixed the issue for you?


** Server does not support secure server-initiated renegotiation

Just found this: https://community.cisco.com/t5/firewalls/asa-5500x-ssl-secure-renegotiation-and-forward-secrecy/td-p/3082478

 

Has someone had luck configuring this on ASA?


** This domain does not have a Certification Authority Authorization (CAA) record

This looks like a certificate issue and not an ASA issue.


** The RSA certificate provided is NOT an Extended Validation (EV) certificate

This looks like a certificate issue and not an ASA issue.


** Server does not provide HPKP

I just found this on Internet, so it looks like the ASA does not support HPKP. At least not in the version 9.7(1): https://quickview.cloudapps.cisco.com/quickview/bug/CSCve06518

Do you know if there is a version which supports HPKP?

 

As a side question, do you know which of the weakness should I fix in order to get an A+ in this domain scanner? Or should I fix all the issues in order to get an A+? Thank you very much.


Best Regards.

Labels:
Preview file
144 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-04-2019 09:16 AM

I checked one of my "well-configured" VPNs (running on an ASA with Firepower Threat Defense 6.4.0.6) and it reports an "A+" score.

https://www.immuniweb.com/ssl/?id=6Hc7Ab1j

It hits most of the same issues you reported.

  1. OCSP stapling is not supported. Reference https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva06489
  2. TLS 1.3 is not supported.
  3. HSTS is indeed fixed in 9.8(2). I can confirm it's working. This one may have made the difference between A and A+
  4. Secure server-initiated renegotiation was my answer in the thread you referenced and it still doesn't work for me.
  5. HPKP is still not supported as far as I know.

Some of these checks are really designed for web servers and not the ASA SSL VPN per se so i don't lose any sleep over the distinction between an A and an A+. By tightening things down as far as you have already you are ahead of 95% of the implementations out there.

View solution in original post

2 Replies 2

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎11-04-2019 09:16 AM

I checked one of my "well-configured" VPNs (running on an ASA with Firepower Threat Defense 6.4.0.6) and it reports an "A+" score.

https://www.immuniweb.com/ssl/?id=6Hc7Ab1j

It hits most of the same issues you reported.

  1. OCSP stapling is not supported. Reference https://bst.cloudapps.cisco.com/bugsearch/bug/CSCva06489
  2. TLS 1.3 is not supported.
  3. HSTS is indeed fixed in 9.8(2). I can confirm it's working. This one may have made the difference between A and A+
  4. Secure server-initiated renegotiation was my answer in the thread you referenced and it still doesn't work for me.
  5. HPKP is still not supported as far as I know.

Some of these checks are really designed for web servers and not the ASA SSL VPN per se so i don't lose any sleep over the distinction between an A and an A+. By tightening things down as far as you have already you are ahead of 95% of the implementations out there.

Go to solution
Karsten Iwen
VIP
VIP

‎11-04-2019 02:15 PM

Marvin already gave all the needed info. Two more things to consider:

 

1) TLS 1.3: I don't remember the referenced discussion, but I was answering for TLS 1.2 there and not for TLS 1.3.

2) I would question the usefulness of a TLS-test in general if they mark the absence of an EV-certificate as a vulnerability. 

https://scotthelme.co.uk/extended-validation-not-so-extended/

0 Helpful
Customers Also Viewed These Support Documents