Re: Current best practice ssl cipher settings

stephanvanhienen · ‎01-17-2024

Hi,

We are currently using the following settings, are these still the best practice, or any updates on this ?
Cisco ASAv v9.20

ssl server-version tlsv1.2 dtlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl cipher dtlsv1 custom "AES256-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384""
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl ecdh-group group20
ssl dh-group group14

I saw some posts about setting the dh-group to group21, but this isn't an option on our ASAv? :

# ssl dh-group ?

configure mode commands/options:
ffdhe2048 Configure DH group FFDHE2048 - 2048-bit modulus, (FIPS)
ffdhe3072 Configure DH group FFDHE3072 - 3072-bit modulus, (FIPS)
group14 Configure DH group 14 - 2048-bit modulus, (FIPS)
group15 Configure DH group 15 - 3072-bit modulus, (FIPS)

And not sure about the tlsv1.3 ciphers, the setting for tls1.2 isn't supported.
Found the following setting :

ssl cipher tlsv1.3 custom "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256"

Rob Ingram · ‎01-17-2024

@stephanvanhienen correct DH group 14/15 appears to be the current supported version.

You also look to add - ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-ECDSA-AES256-GCM-SHA384

MHM Cisco World · ‎01-17-2024

if you can not use DH group 21 use DH 15.
for cipher select more than one cipher
in end not all user use same OS so some support this Cipher and other not
MHM

Marvin Rhoads · ‎01-17-2024

I use the settings below on FTD (set via platform settings) and get an A+ from Qualys SSLlabs tests. The same settings should be available on your ASA via CLI:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl server-max-version tlsv1.3
ssl client-max-version tlsv1.3
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl cipher tlsv1.3 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl dh-group group14
ssl ecdh-group group19

netadmins · ‎02-01-2024

Hi Marvin,

I use FMC to manage my 1150 HA pair. I am not currently using "Platform Settings" and wanted to know if there is a way to make the SSL cipher changes directly to the FTD pair. If I log into the primary FTD and run the command "show running-config all ssl", I get:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl trust-point RapidSSL-0724
ssl certificate-authentication fca-timeout 2

I would like to remove anything lower than 1.2 and medium strength. Is there another setting in the FMC to make these changes or do I need to make them directly on the FTDs? Thanks!

Rob Ingram · ‎02-01-2024

@netadmins you configure the TLS settings in the Platform Settings policy and assign the policy to the FTDs, example:- https://integratingit.wordpress.com/2021/01/28/secure-ftd-tls-ciphers/

netadmins · ‎02-01-2024

Rob, thanks for the reply. I should have stated my question a different way.

Is there a way WITHOUT using the "Platform Settings" policy?

Marvin Rhoads · ‎02-03-2024

@netadmins - no. An FMC-managed device can only have these settings changed via FMC. Similarly, for FDM-managed devices you must use the FDM GUI.