12-13-2016 08:41 PM - edited 02-21-2020 09:05 PM
Hi, all
Apple will make ATS feature mandatory from the end of 2016 and published requirements for connecting using ATS.
https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57
Is the AnyConnect for iPhone App affected by the requirements?
Current ssl cipher tlsv1.2 configuration of the ASA 9.6(2) does not contain ciphers presented by the requirements.
Thank you for your cooperation in advance.
04-14-2017 05:53 AM
You can restrict the ASA to using strong ciphers using something like the following:
ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
The exact syntax may vary according to your ASA but the one I'm showing is running 9.6(2). I pointed the Qualys SSL checker at it and verify I can negotiate "TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)".
I believe you need to sign your CSR using an ECDSA key to get the full ECDHE-ECDSA support. Please see the following two articles:
https://supportforums.cisco.com/document/12929911/creating-sha-2-certificate-signing-request-using-ecdsa
https://supportforums.cisco.com/document/12943436/understanding-and-configuring-asa-ec-certificate-and-ec-ciphers
04-18-2017 12:17 AM
Hi Rhoads,
Thank you for your useful reply.
AnyConnect 4.0.x for Apple iOS has been established connection to ASA that does not satisfy the security requirements at present.
I have surmised that the forcing does not affect AnyConnect app.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide