cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1960
Views
0
Helpful
3
Replies

Question on Ciphers, and LDAP over SSL

neteng2323
Level 1
Level 1

I have a FP9300 running in Multi-context mode.  It is active|standby and I have several contexts.  I have one context dedicated to remote access (anyconnect), and have a ldap over ssl configured for authentication. When I configured this originally I left all ssl ciphers at medium, and ssl over ldap just worked with the group of windows servers configured under aaa servers.  A few nights ago we had a failover event and once the firewall failed to the other side it broke ssl over ldap.  The configuration was identical on the otherside and everything else was working fine.  If I unchecked the box for ssl over ldap and just used port 389 it works, but no dice with the former. I tried everything until stumbling upon the cipher settings.  After various combinations I got auth working again over port 636. 

 

So, beside that being a head scratcher, I wanted to get some advice on what ciphers to use.  If I set everything to medium I ldap over ssl will not work.  I have to set custom for tls1.2 and default.  If I have default set with low security it works, but if I try to specify too many ciphers for either it breaks.  I'm not sure which ciphers to use that will offer good security, but also compatibility.

1 Accepted Solution

Accepted Solutions

Dennis Mink
VIP Alumni
VIP Alumni

Do you happen to know what the other end supports? Is it a wimdoze AD box?

Please remember to rate useful posts, by clicking on the stars below.

View solution in original post

3 Replies 3

Dennis Mink
VIP Alumni
VIP Alumni

Do you happen to know what the other end supports? Is it a wimdoze AD box?

Please remember to rate useful posts, by clicking on the stars below.

Ha, yes it is a wimdoze AD environment.  I don't know for sure what server versions, or ciphers they are using.  Before working with with the systems group, I wanted to pose the question here and get a better idea of what is best practice or at least commonly used.  Honestly, I don't remember ever having to worry about the cipher settings until now.  

^^^

This was it.

 

Turns out some of the windows servers were moved to a higher cipher suite at some point, and some were not.  The way the ASA was configured before was to round robin to the different servers within domain.  Apparently, it had marked a server ACTIVE that was set for a lower cipher suite and low and behold broke ssl negotiation between the windows server and the asa in the process.  The medium cipher suite on the asa was not supported on the windows server that it set as active.   I did some individual testing of each server, finding the ones that did support the medium ciphers and for now I have hard coded those servers, and it's working properly.