cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
19024
Views
46
Helpful
14
Replies

Anyconnect Perfect Forward Secrecy

mdieken011
Level 1
Level 1

I want to use PFS for my Anyconnect remote access VPN.  I don't see any documentation on how I can make that happen.  Any recommendations for the config would be greatly appreciated.

1 Accepted Solution

Accepted Solutions

You can enforce Forward Secrecy by disabling all non-DHE ciphers. If you have AnyConnect4 and no legacy clients, it works without any problems. This is my ASA with only forward secrecy:

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group14

View solution in original post

14 Replies 14

You can enforce Forward Secrecy by disabling all non-DHE ciphers. If you have AnyConnect4 and no legacy clients, it works without any problems. This is my ASA with only forward secrecy:

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group14

Thank you for the custom ciphers.  This tweak boosted my SSL Labs score to an A!!!

@Karsten Iwen Thanks for this - I just came across your answer.

FYI I was able to accomplish pretty much the same thing on an FMC-managed FTD device via Devices > Platform Settings > SSL as follows:

FTD TLS Platform SettingsFTD TLS Platform Settings

Applying the above settings on an FTD device (mine was running FTD 6.4.0.5) will result in an "A-" Qualys scan score. Cisco's decision not to support secure renegotiation limits us to that:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCud62637

https://community.cisco.com/t5/firewalls/cisco-asa-5512-9-8-2-support-for-secure-renegotiation/td-p/3754076

FYI all - it appears that Cisco has slipped in "secure renegotation" support recently.

I cannot find it in the release notes (or interim release notes); but I just built a new ASAv in AWS using 9.16(1)28 and was pleasantly surprised to see it earn an "A+" from Qualys. I didn't do anything special beyond the recommendations documented by @Karsten Iwen .

 

This is really good news! Took some time …

@Karsten Iwen indeed it did!

By the way I just tuned an FTD 7.0 deployment similarly. The settings noted above also result in an A+ for FTD.

Also, as of 7.0 we can make those settings in both FMC- and FDM-managed environments. Previously FDM did not expose those settings.

Karsten,

I have success in using the above ciphers in my ASA-5545's however I am unable to use them in my FP2120's running ASA image, ver 9.16(3)23. I am able to create the custom cipher list for tlsv1.2 only, the rest throw out an error: 

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher default high
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256 "
ssl ecdh-group group20
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management
ssl trust-point ASDM_Launcher_Access_TrustPoint_0 management vpnlb-ip
PROD-VPN-ASA1-FP2K# config t
PROD-VPN-ASA1-FP2K(config)# ssl cipher tlsv1.1 custom "AES256-SHA:AES128-SHA:D$
ERROR: Unable to create cipher list
ERROR: Unable to update ciphers.

Suggestions? TAC is scratching their heads on this one as well.

With "server-version tlsv1.2" you don't need the ciphers for 1.0 and 1.1 as these versions are disabled anyhow.

I agree, however Qualsys is stating this "server" my FP2120 doesn't support PFS so it's capped at a "B" for weak Key Exchange in my Cipher List, also my Information Security team is stating this ASA is hitting two vulnerabilities,

1. Generate random Diffie-Hellman parameters

a. Configure the server to use a randomly generated Diffie-Hellman group.

2. Disable TLS/SSL support for static key cipher suites

a. Configure the server to disable support for static key cipher suites.





ASA# sh run ssl

ssl server-version tlsv1.2

ssl client-version tlsv1.2

ssl cipher default high

ssl cipher tlsv1 fips

ssl cipher tlsv1.1 fips

ssl cipher tlsv1.2 high

ssl cipher dtlsv1 fips

ssl cipher dtlsv1.2 high

ssl ecdh-group group20


Even with "ssl cipher tlsv1.2 high" there are some legacy ciphers enabled. I would manually enable only the best FS-ciphers.

I get it to take the custom tlsv1.2 cipher list as described in earlier posts, however when I clear cache on the Qualsys page it fails to connect "Assessment failed: Failed to communicate with the secure server" and it somehow affected how my RA "AnyConnect" client behaves because I get a "certificate error" and then it rolls over to my next vpn configured according to the xml.


ChuckHaynes
Level 3
Level 3

What are you guys getting for the Key Exchange? Previously, I got 100%, but now I am only getting 90%.

Yes, key exchange will be scored 90% unless you have a key >= 4096 bits.

https://github.com/ssllabs/research/wiki/SSL-Server-Rating-Guide

Most keys in use today are 2048 bits. Even www.nsa.gov gets 90% due to a 2048 bit key.

We used to get 100% on Key Exchange, but now we get 90%. We didn't change anything pertaining to our certificate or key.

 

0.jpg

 

As you previously mentioned, it looks like Cisco did finally add working Secure Negotitation support because our grade is no longer capped to an A-.

 

We are only using one cipher (see below).

 

1.jpg

 

2.jpg

 

However, the report lists these.

 

4.jpg

 

I assume the score is getting capped at 90% because it's choosing another cipher first. However, I don't understand where it's getting the other ones from. Our goal is to only use (force) secp384r1.