01-24-2017 10:25 AM - edited 02-21-2020 09:08 PM
Greetings to All,
We are running client a VPN using Anyconnect and ASA 5510's and 5520's using IKEv2. We have been told that as of 2/14/2017, Microsoft will no longer support signed certificates with SHA1. Here's what I've done to fix this so far:
1. I've updated our VPN server (the ASAs) Identity Certificates, but am concerned that it may also need to be implemented in the IKEv2 policy and IPSEC proposal.
2. I was able to get the IKEV2 Policy to use SHA256
3. I was NOT able to get the IPSEC proposal to support SHA2. I've seen a thread that points to our hardware platform as not supporting this.
The major concern is this: on 2/14/2017 will our Anyconnect clients still be able work? I would think so, but I'm trying to get a definitive answer.
Any help would be greatly appreciated.
Thanks!
Dave
Solved! Go to Solution.
01-24-2017 12:54 PM
The Microsoft update only mentions SHA-1 TLS certificates. This should not affect IKE and IPsec proposals. As long as your certificate is updated to SHA2, you should have no issues.
01-24-2017 12:54 PM
The Microsoft update only mentions SHA-1 TLS certificates. This should not affect IKE and IPsec proposals. As long as your certificate is updated to SHA2, you should have no issues.
01-24-2017 01:35 PM
Thanks, Rahul. That's what I suspected. I just need to be 100% sure. --DW
02-01-2017 01:08 PM
02-01-2017 03:00 PM
I think that might be from an older release note. MS documentation states that Code signing certificates should be unaffected, only TLS certs will be made invalid.
https://social.technet.microsoft.com/wiki/contents/articles/32288.windows-enforcement-of-sha1-certificates.aspx#Summary
But in any case, sticking to the Anyconnect 4.3 and 4.4 releases are recommended as they should have the latest code signing certs.
02-02-2017 11:06 AM
I have to admit there is a lot of conflicting/contradicting info out there regarding this issue. I think I misunderstood the original post. I am concerned that Win 7 will not launch the Anyconnect client on the PC if it was signed with a SHA1 cert and that's what I'm trying to find out. Sorry if I caused confusion.
02-02-2017 11:10 AM
No worries :) Your post made me re-check the MS documentation again - which is always good. You are right that there have been changes about the SHA-1 deprecation plan from earlier info provided. Hopefully, the MS link posted about should be single source of truth for the changes that will come about later this month.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide