Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1739
Views
5
Helpful
1
Replies

Confused about Ciphers Negotiating between AnyConnect 4.3. and ASA 5512-X / 5525 - X (9.4.3.12)

mjauner
Level 1
Level 1

‎12-23-2016 05:49 AM - edited ‎02-21-2020 09:06 PM

Hello

In our Clientbased - VPN with AnyConnect 4.3.02039 an ASA 5500-X Series with 9.4(3)12 we have to optimize the cipher suites.

Before we had the 3.x Client only supporting TLS 1.0.

Now we changed to TLS 1.2 only an tried to configure more secure ciphers.

- Looks like althoug we do DHE - Suites on top of the priority the negotiation will never choose this for TLS 1.2.

- Depending on the order or number of the configured ciphers (even if reconfigure change TLS 1 or 1.1 or default) the AnyConnect will present the ASA different numbers and different orders of posible Ciphers (between 8 an 37 !)

- Looks like DTLS only can choose AES256-SHA. But I can configure also Ciphers with DHE.

Problem 1 is that for security reason PFS is to choose, but will never be negoatiated.

In some cases the TLS 1.2 do negoatiation to "more secure" ciphers first and immediately do a renegotiating to poorer one.

Problem 2 is that after TLS tunnel is up, it will change to the DTLS tunnel. Same problem with PFS and only SHA.

Looks like something is really buggy.

Where can I find documentation or bug - list which ciphers really supported and the conditions and dependencies from the ordering or dependencies from the configuration of the other TLS (1.0 / 1.1 / or default )?

Is it correct tha i can never see the negoatiating of the DTLS ?

Thanks for help

Martin

Labels:
Preview file
351 KB
0 Helpful
1 Reply 1

Rahul Govindan
VIP Alumni
VIP Alumni

‎12-23-2016 08:04 AM

Martin,

Yeah its really confusing, but I think the following bugs explain what could be happening:

Anyconnect failure when custom ciphers DHE-RSA are used - CSCuz41966

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz41966/?referring_site=bugquickviewclick

This may be the cause that none of the DHE algorithms are selected when the TLS tunnel is established -causing AES256-SHA to be chosen as this is second in your list on the ASA.

DTLS still uses TLS1.0 meaning none of the new algorithms are supported anyway. The following enhancement bug has been raised for this support:

CSCux68801 - ASA: Add Support of DTLS 1.2 (RFC 6347)

https://quickview.cloudapps.cisco.com/quickview/bug/CSCux68801

Best way would be open a TAC case and confirm the same. Good analysis btw :-)

Customers Also Viewed These Support Documents