Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2153
Views
0
Helpful
6
Replies

SHA1 Deprecation and Anyconnect using ASA's

Go to solution
david webb
Level 1
Level 1

‎01-24-2017 10:25 AM - edited ‎02-21-2020 09:08 PM

Greetings to All,

We are running client a VPN using Anyconnect and ASA 5510's and 5520's using IKEv2. We have been told that as of 2/14/2017, Microsoft will no longer support signed certificates with SHA1. Here's what I've done to fix this so far:

1. I've updated our VPN server (the ASAs) Identity Certificates, but am concerned that it may also need to be implemented in the IKEv2 policy and IPSEC proposal.

2. I was able to get the IKEV2 Policy to use SHA256

3. I was NOT able to get the IPSEC proposal to support SHA2. I've seen a thread that points to our hardware platform as not supporting this.

The major concern is this: on 2/14/2017 will our Anyconnect clients still be able work? I would think so, but I'm trying to get a definitive answer.

Any help would be greatly appreciated.

Thanks!

Dave   

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 12:54 PM

The Microsoft update only mentions SHA-1 TLS certificates. This should not affect IKE and IPsec proposals. As long as your certificate is updated to SHA2, you should have no issues.

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni

‎01-24-2017 12:54 PM

The Microsoft update only mentions SHA-1 TLS certificates. This should not affect IKE and IPsec proposals. As long as your certificate is updated to SHA2, you should have no issues.

0 Helpful

Go to solution
david webb
Level 1
Level 1
In response to Rahul Govindan

‎01-24-2017 01:35 PM

Thanks, Rahul. That's what I suspected. I just need to be 100% sure. --DW

0 Helpful

Go to solution
kevin.fogarty
Level 1
Level 1

‎02-01-2017 01:08 PM

I'm not sure if this answer is 100% correct. According to Cisco it depends on the version of Anyconnect you are using. See attached.

Preview file
660 KB
0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to kevin.fogarty

‎02-01-2017 03:00 PM

I think that might be from an older release note. MS documentation states that Code signing certificates should be unaffected, only TLS certs will be made invalid.

https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx#Summary

But in any case, sticking to the Anyconnect 4.3 and 4.4 releases are recommended as they should have the latest code signing certs.

0 Helpful

Go to solution
kevin.fogarty
Level 1
Level 1
In response to Rahul Govindan

‎02-02-2017 11:06 AM

I have to admit there is a lot of conflicting/contradicting info out there regarding this issue. I think I misunderstood the original post. I am concerned that Win 7 will not launch the Anyconnect client on the PC if it was signed with a SHA1 cert and that's what I'm trying to find out. Sorry if I caused confusion.

0 Helpful

Go to solution
Rahul Govindan
VIP Alumni
VIP Alumni
In response to kevin.fogarty

‎02-02-2017 11:10 AM

No worries :) Your post made me re-check the MS documentation again - which is always good. You are right that there have been changes about the SHA-1 deprecation plan from earlier info provided. Hopefully, the MS link posted about should be single source of truth for the changes that will come about later this month.

0 Helpful
Customers Also Viewed These Support Documents