cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1090
Views
3
Helpful
8
Replies

Current best practice ssl cipher settings

Hi,

We are currently using the following settings, are these still the best practice, or any updates on this ?
Cisco ASAv v9.20

ssl server-version tlsv1.2 dtlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl cipher dtlsv1 custom "AES256-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384""
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384"
ssl ecdh-group group20
ssl dh-group group14

I saw some posts about setting the dh-group to group21, but this isn't an option on our ASAv? :

# ssl dh-group ?

configure mode commands/options:
ffdhe2048 Configure DH group FFDHE2048 - 2048-bit modulus, (FIPS)
ffdhe3072 Configure DH group FFDHE3072 - 3072-bit modulus, (FIPS)
group14 Configure DH group 14 - 2048-bit modulus, (FIPS)
group15 Configure DH group 15 - 3072-bit modulus, (FIPS)

And not sure about the tlsv1.3 ciphers, the setting for tls1.2 isn't supported.
Found the following setting :

ssl cipher tlsv1.3 custom "TLS_AES_256_GCM_SHA384 TLS_CHACHA20_POLY1305_SHA256 TLS_AES_128_GCM_SHA256 TLS_AES_128_CCM_8_SHA256 TLS_AES_128_CCM_SHA256"

 

8 Replies 8

@stephanvanhienen correct DH group 14/15 appears to be the current supported version.

You also look to add - ECDHE-ECDSA-AES256-GCM-SHA384, ECDHE-ECDSA-AES128-GCM-SHA256


ECDHE-ECDSA-AES256-GCM-SHA384

if you can not use DH group 21 use DH 15. 
for cipher select more than one cipher 
in end not all user use same OS so some support this Cipher and other not 
MHM

Marvin Rhoads
Hall of Fame
Hall of Fame

I use the settings below on FTD (set via platform settings) and get an A+ from Qualys SSLlabs tests. The same settings  should be available on your ASA via CLI:

 

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl server-max-version tlsv1.3
ssl client-max-version tlsv1.3
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl cipher tlsv1.3 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-SHA256"
ssl dh-group group14
ssl ecdh-group group19

 

Hi Marvin,

I use FMC to manage my 1150 HA pair. I am not currently using "Platform Settings" and wanted to know if there is a way to make the SSL cipher changes directly to the FTD pair.  If I log into the primary FTD and run the command "show running-config all ssl", I get:

ssl server-version tlsv1.2 dtlsv1.2
ssl client-version tlsv1.2
ssl cipher default medium
ssl cipher tlsv1 medium
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 medium
ssl cipher dtlsv1.2 medium
ssl dh-group group14
ssl ecdh-group group19
ssl trust-point RapidSSL-0724
ssl certificate-authentication fca-timeout 2

I would like to remove anything lower than 1.2 and medium strength. Is there another setting in the FMC to make these changes or do I need to make them directly on the FTDs? Thanks!

@netadmins you configure the TLS settings in the Platform Settings policy and assign the policy to the FTDs, example:- https://integratingit.wordpress.com/2021/01/28/secure-ftd-tls-ciphers/

 

netadmins
Level 1
Level 1

Rob, thanks for the reply. I should have stated my question a different way.

Is there a way WITHOUT using the "Platform Settings" policy?

@netadmins - no. An FMC-managed device can only have these settings changed via FMC. Similarly, for FDM-managed devices you must use the FDM GUI.

terje
Level 1
Level 1

Hi Marvin,

I just reimaged a FPR2110 to ASA 9.20 in appliance mode for RA VPN use and applied your SSL cipher list. A public ecdsa wildcard certificate is enrolled and secure client access is working as expected.

However, SSL Labs reports a F grade and the following reasons:

Certificate #2: RSA 2048 bits (SHA256withRSA) is (obviously) not trusted by major browsers  (this is the self-signed SmartCallHome trustpool which is impossible to delete)

Tls1.2 chipers marked as WEAK

TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 (0xc024) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH x25519 (eq. 3072 bits RSA) FS WEAK 256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 2048 bits FS WEAK 256

Thanks,

-Terje