Impact of Mandatorily Using ATS Feature on Cisco ASA AnyConnect

SATORU SAEGUSA · ‎12-13-2016

Hi, all
Apple will make ATS feature mandatory from the end of 2016 and published requirements for connecting using ATS.

https://developer.apple.com/library/content/documentation/General/Reference/InfoPlistKeyReference/Articles/CocoaKeys.html#//apple_ref/doc/uid/TP40009251-SW57

Is the AnyConnect for iPhone App affected by the requirements?
Current ssl cipher tlsv1.2 configuration of the ASA 9.6(2) does not contain ciphers presented by the requirements.

Thank you for your cooperation in advance.

Marvin Rhoads · ‎04-14-2017

You can restrict the ASA to using strong ciphers using something like the following:

ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"

The exact syntax may vary according to your ASA but the one I'm showing is running 9.6(2). I pointed the Qualys SSL checker at it and verify I can negotiate "TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048)".

I believe you need to sign your CSR using an ECDSA key to get the full ECDHE-ECDSA support. Please see the following two articles:

https://supportforums.cisco.com/document/12929911/creating-sha-2-certificate-signing-request-using-ecdsa

https://supportforums.cisco.com/document/12943436/understanding-and-configuring-asa-ec-certificate-and-ec-ciphers

SATORU SAEGUSA · ‎04-18-2017

Hi Rhoads,

Thank you for your useful reply.
AnyConnect 4.0.x for Apple iOS has been established connection to ASA that does not satisfy the security requirements at present.
I have surmised that the forcing does not affect AnyConnect app.