Solved: Changing SSL/TLS Diffie-Hellman group on ASA 5520

tomasz.twardzicki · ‎10-30-2015

ssl dh-group command has been introduced in 9.3(2) which is not available for ASA 5520. Is there any other way of forcing ssl vpn to use diffie-hellman modulus >1024 bits on this system?

Marius Gunnerud · ‎10-30-2015

Sorry miss-read the question. As far as I know, we can not specify the DH group on the ASA prior to 9.3(2).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

Marius Gunnerud · ‎10-30-2015

You could set it using the ssl dh-group command globally

ciscoasa(config)# ssl dh-group ?

configure mode commands/options:
group1   Configure DH group 1 - 768-bit modulus
group2   Configure DH group 2 - 1024-bit modulus
group5   Configure DH group 5 - 1536-bit modulus
group14 Configure DH group 14 - 2048-bit modulus, 224-bit prime order
           subgroup (FIPS)
group24 Configure DH group 24 - 2048-bit modulus, 256-bit prime order
           subgroup (FIPS)

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

tomasz.twardzicki · ‎10-30-2015

the point is, i can't use ssl dh-group command since it's not available in the OS release i'm using (9.1(6)10) and i can't upgrade the ASA any further.

Marius Gunnerud · ‎10-30-2015

Sorry miss-read the question. As far as I know, we can not specify the DH group on the ASA prior to 9.3(2).

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts