Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1090
Views
3
Helpful
8
Replies

Current best practice ssl cipher settings

stephanvanhienen
Level 1
Level 1

‎01-17-2024 02:50 AM - edited ‎01-17-2024 03:49 AM

Hi,

We are currently using the following settings, are these still the best practice, or any updates on this ?
Cisco ASAv v9.20

ssl server-version tlsv1.2 dtlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl cipher dtlsv1 custom "AES256-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384""
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl ecdh-group group20
ssl dh-group group14

I saw some posts about setting the dh-group to group21, but this isn't an option on our ASAv? :

# ssl dh-group ?

configure mode commands/options:
ffdhe2048 Configure DH group FFDHE2048 - 2048-bit modulus, (FIPS)
ffdhe3072 Configure DH group FFDHE3072 - 3072-bit modulus, (FIPS)
group14 Configure DH group 14 - 2048-bit modulus, (FIPS)
group15 Configure DH group 15 - 3072-bit modulus, (FIPS)

And not sure about the tlsv1.3 ciphers, the setting for tls1.2 isn't supported.
Found the following setting :

ssl cipher tlsv1.3 custom "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256"

 

Labels:
0 Helpful
8 Replies 8

Rob Ingram
VIP
VIP

‎01-17-2024 03:01 AM

@stephanvanhienen correct DH group 14/15 appears to be the current supported version.

You also look to add - ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256


ECDHE-ECDSA-AES256-GCM-SHA384

MHM Cisco World
VIP
VIP

‎01-17-2024 03:05 AM

if you can not use DH group 21 use DH 15. 
for cipher select more than one cipher 
in end not all user use same OS so some support this Cipher and other not 
MHM

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-17-2024 08:19 AM

I use the settings below on FTD (set via platform settings) and get an A+ from Qualys SSLlabs tests. The same settings  should be available on your ASA via CLI:

 

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl server-max-version tlsv1.3
ssl client-max-version tlsv1.3
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl cipher tlsv1.3 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl dh-group group14
ssl ecdh-group group19

 

netadmins
Level 1
Level 1
In response to Marvin Rhoads

‎02-01-2024 09:52 AM

Hi Marvin,

I use FMC to manage my 1150 HA pair. I am not currently using "Platform Settings" and wanted to know if there is a way to make the SSL cipher changes directly to the FTD pair.  If I log into the primary FTD and run the command "show running-config all ssl", I get:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl trust-point RapidSSL-0724
ssl certificate-authentication fca-timeout 2

I would like to remove anything lower than 1.2 and medium strength. Is there another setting in the FMC to make these changes or do I need to make them directly on the FTDs? Thanks!

0 Helpful

Rob Ingram
VIP
VIP
In response to netadmins

‎02-01-2024 09:59 AM

@netadmins you configure the TLS settings in the Platform Settings policy and assign the policy to the FTDs, example:- https://integratingit.wordpress.com/2021/01/28/secure-ftd-tls-ciphers/

 

0 Helpful

netadmins
Level 1
Level 1

‎02-01-2024 10:32 AM

Rob, thanks for the reply. I should have stated my question a different way.

Is there a way WITHOUT using the "Platform Settings" policy?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to netadmins

‎02-03-2024 03:38 AM

@netadmins - no. An FMC-managed device can only have these settings changed via FMC. Similarly, for FDM-managed devices you must use the FDM GUI.

0 Helpful

terje
Level 1
Level 1

‎10-28-2024 02:46 AM

Hi Marvin,

I just reimaged a FPR2110 to ASA 9.20 in appliance mode for RA VPN use and applied your SSL cipher list. A public ecdsa wildcard certificate is enrolled and secure client access is working as expected.

However, SSL Labs reports a F grade and the following reasons:

Certificate #2: RSA 2048 bits (SHA256withRSA) is (obviously) not trusted by major browsers  (this is the self-signed SmartCallHome trustpool which is impossible to delete)

Tls1.2 chipers marked as WEAK

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256

Thanks,

-Terje

0 Helpful
Customers Also Viewed These Support Documents