Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1161
Views
0
Helpful
1
Replies

SSL Ciphers

fatalXerror
Level 5
Level 5

‎09-19-2018 07:54 AM

Hi, I have an SSL remote-access VPN and I want to change the SSL ciphers to a strong one due to hardening.

Does the AnyConnect client handles the SSL ciphers for the computer and exchanges it to the ASA VPN firewall or the AnyConnect is nothing to do with that but instead the computer itself?

Thanks

Labels:
0 Helpful
1 Reply 1

Karsten Iwen
VIP
VIP

‎09-19-2018 10:38 AM

It's both the AnyConnect client with it's build-in libraries and the operating-system that needs to support strong ciphers. But if you use an actual AnyConnect and one of the more modern OS, you can strengthen the TLS-security. Here are my settings that are working fine for my clients:

 

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA"
ssl dh-group group14
ssl ecdh-group group19

Leaving DTLS enabled is a trade-off between security and usability. But having it enabled, reduces the security to a TLS 1.1 level. But if compared to the rest of the network, this is often still the most secure link in the organization.

0 Helpful
Customers Also Viewed These Support Documents