Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6340
Views
5
Helpful
1
Replies

AnyConnect VPN Client TLS Requirements and Future Cipher Support

rhoisington3
Level 1
Level 1

‎05-14-2018 12:06 PM - edited ‎03-12-2019 05:17 AM

We currently use SSLLabs.com to scan for best practice TLS configurations.

 

Here is what I currently use and I get capped at B.

 

ASA Code: 9.8(2)28

 

TLS 1.2 enabled

Ciphers enabled: (Implemented in this order)

TLS_DHE_RSA_WITH_AES_256_CBC_SHA

TLS_DHE_RSA_WITH_AES_128_CBC_SHA

TLS_RSA_WITH_AES_256_CBC_SHA - WEAK - Seems to be required for AnyConnect

TLS_RSA_WITH_AES_128_CBC_SHA - WEAK - Seems to be required for AnyConnect

 

Do we have any idea when TLS 1.3 will be supported along with AEAD cipher?.

 

1 person had this problem
Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎05-16-2018 06:54 AM

I'm not aware of any roadmap for TLS 1.3; I'm waiting myself. But you can already use AES-GCM. This is my SSL-config:

 

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group14

 

Customers Also Viewed These Support Documents