installed sha2 ssl certificate but anyconnect client still shows "hashing = sha1"?

TCAM · ‎05-21-2016

Hi -

asa5550, image = 8.4.x, Installed sha2 ssl certificate, everything is working fine.

However, when anyconnect client connects to asa, it shows "hashing = sha1". why?

Can someone shed some lights in here please? Thanks

David Castro F. · ‎05-21-2016

Hey Joe,

So you installed the SSL cert and placed in the outside interface?

ssl trust-point my.digicert.trustpoint outside

Also are you testing AnyConnect or WebVPN?

Please proceed to rate and mark as correct the helpful post!

David Castro,

TCAM · ‎05-21-2016

Thanks for replying Dave -

Yes, ssl certificate is placed in the outside interface and associated to a trust-point.

Yes, tested using anyconnect and webvpn. Both show hashing = sha1

Thanks

David Castro F. · ‎05-21-2016

Hey Jose,

Can you give me the DNS name?, is this a cert renewal or the first time you install the cert? when you see the Identity cert, you can see the SHA256 protocol? is there any other cert installed? Did you test on Chrome, IE and Firefox?

Thanks,

David Castro,

Karsten Iwen · ‎05-22-2016

You are mixing two independent security elements here:

SHA256 in the certificate is used to establish the secure tunnel and authenticate the server.
In the tunnel-setup-phase the ASA and the client negotiate which crypto is used to secure the tunnel. Here, your ASA only supports SHA1 which you see when you look at the tunnel details.

TCAM · ‎05-22-2016

Hi -

I am not talking about "encryption" SHA256, i am concerning about "hashing" SHA1 as shown below.

Username     : xxxxxxxxx              Index        : 25255
Assigned IP : xxxxxxxxx         Public IP    : xxxxxxxxx
Protocol     : AnyConnect-Parent SSL-Tunnel
License      : AnyConnect Premium, AnyConnect for Mobile
Encryption   : AES256 AES256          Hashing      : SHA1 SHA1
Bytes Tx     : 214685397              Bytes Rx     : 38214662
Group Policy : xxxxxxxxx        Tunnel Group : xxxxxxxxx

as far as i know, Sha2 is supported from 8.2.5 onwards, check the release notes below:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

------Snippet from the link above-----

SSL SHA-2 digital signature

You can now use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5(1) or later (2.5(2) or later recommended). This release does not support SHA-2 for other uses or products.

My asa is running 8.4.x, anyconnect client is 3.x, so SHA2 should be supported, but the "hashing" is still showing up as SHA1. That is my concern.

Karsten Iwen · ‎05-22-2016

i am concerning about "hashing" SHA1 as shown below.

That's exactly what I'm talking about. SHA256 in the certificate is supported to authenticate the tunnel. That's all that is supported. It is not supported to protect the tunnel for integrity.

TCAM · ‎05-22-2016

Thanks for quick response.

SHA256 in the certificate is supported to authenticate the tunnel. That's all that is supported. It is not supported to protect the tunnel for integrity.

Are you saying "hashing" is not used to protect data integrity? Can you share a url or link please as i am very confused now.

TCAM · ‎05-22-2016

I think i found my answer in below link, thanks

https://supportforums.cisco.com/discussion/12752311/sha256-algorithm-not-showing-asa-ver-91