Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2744
Views
10
Helpful
5
Replies

Insecure server renegotiation weakness on ASA

kostasthedelegate
Level 4
Level 4

‎06-11-2020 03:29 AM

Hello,

 

I have a virtual ASA for VPN and after a scan, I get the bellow:

 

The following systems are vulnerable to a cryptographic vulnerability, called the insecure server renegotiation weakness

 

As I understand there is not something I could do on ASA, right?

 

Has anyone overcome this already?

 

Thanks and regards, 

Konstantinos

Labels:
0 Helpful
5 Replies 5

Rob Ingram
VIP
VIP

‎06-11-2020 04:04 AM - edited ‎06-11-2020 04:12 AM

Hi,
I assume you were scanning SSL/TLS?
You can/should disable TLS 1.0/1.1 - assuming you client computers aren't using them, if you Windows 10 should be fine. Enable TLS 1.2 and DTLS 1.2, use a custom list and select the ECDHE ciphers.
Ensure you are using a strong diffie hellman group

Provide the scan results and configuration if you need further assistance.

HTH

0 Helpful

kostasthedelegate
Level 4
Level 4
In response to Rob Ingram

‎06-14-2020 11:42 PM - edited ‎06-14-2020 11:50 PM

Hello,

I use the below ciphers:
DHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES256-GCM-SHA384
AES128-GCM-SHA256
AES256-GCM-SHA384
AES128-SHA256

 

We use "Difie-Hellman group to be used with SSL: Group 2 - 1024-bit modulus"
Which diffie hellman group do you propose? Will it affect clients?

Thanks and regards,
Konstantinos

0 Helpful

Rob Ingram
VIP
VIP
In response to kostasthedelegate

‎06-15-2020 01:24 AM - edited ‎06-15-2020 01:42 AM

Yes, making these changes could affect the clients when connecting. Use the commands show vpn-sessiondb ratio encryption and show vpn-sessiondb detail anyconnect to determine what ciphers you clients are currently capable of using when the clients are connecting. Amend accordingly.

 

When supported by the client, DHE is the preferred cipher because it provides Perfect Forward Secrecy.

 

Use the strongest dh-group supported by your client computers, group 2 is weak - you should definately change that to group 14 or higher.

 

Test all settings, you can easily revert if some of your client have issues.

kostasthedelegate
Level 4
Level 4
In response to Rob Ingram

‎06-15-2020 04:23 AM

Thank you for the immediate answer.

I obtained the output of the commands
For encryption, I use AES128 and AES-GCM-128
The anyconnect are mostly 4.6, but I have 4.3 and 4.1
I am searching now to see what are the DH groups the anyconnect 4.1 supports

Regards,
Konstantinos
0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-15-2020 08:17 PM - edited ‎06-15-2020 08:18 PM

https://www.immuniweb.com/ssl/?id=6Hc7Ab1jI've seen conflicting scan reports on this issue. For instance, immuniweb.com says it's not supported on my ASA while qualys.com says it is. Reference:

https://www.immuniweb.com/ssl/?id=6Hc7Ab1j

https://www.ssllabs.com/ssltest/analyze.html?d=vpn.dsitech.com

So the one site gives me an A- and the other an A+. As I noted in this thread:

https://community.cisco.com/t5/vpn/cisco-asa-trying-to-get-an-a-on-htbridge-com/m-p/3952581

...I just note that I got an "A" and happily move on to more important concerns. :)

Customers Also Viewed These Support Documents