cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1114
Views
0
Helpful
1
Replies

SSL Ciphers

fatalXerror
Level 5
Level 5

Hi, I have an SSL remote-access VPN and I want to change the SSL ciphers to a strong one due to hardening.

Does the AnyConnect client handles the SSL ciphers for the computer and exchanges it to the ASA VPN firewall or the AnyConnect is nothing to do with that but instead the computer itself?

Thanks

1 Reply 1

It's both the AnyConnect client with it's build-in libraries and the operating-system that needs to support strong ciphers. But if you use an actual AnyConnect and one of the more modern OS, you can strengthen the TLS-security. Here are my settings that are working fine for my clients:

 

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-GCM-SHA256 DHE-RSA-AES128-GCM-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES128-SHA DHE-RSA-AES256-SHA"
ssl dh-group group14
ssl ecdh-group group19

Leaving DTLS enabled is a trade-off between security and usability. But having it enabled, reduces the security to a TLS 1.1 level. But if compared to the rest of the network, this is often still the most secure link in the organization.