Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
5
Helpful
1
Replies

SSL VPN Cipher upgrade question

MattRepko
Level 1
Level 1

‎11-10-2020 05:05 AM

A recent third party security review recommended that we update the ciphers used for our SSL VPN.  Our clients connect using the AnyConnect client which I know needs to be upgraded for some users.  I am trying to find a guide or steps explaining the process of upgrading to TLS 1.2 (at a minimum) but I also want to understand what version of AnyConnect needs to be in the mix.  I don't want to upgrade the ciphers and leave our remote users without a means to connect to the VPN.

 

Current SSL protocols and ciphers in use:

 

ssl server-version tlsv1
ssl client-version tlsv1
ssl cipher default custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 medium
ssl cipher tlsv1.2 medium
ssl cipher dtlsv1 custom "RC4-SHA:AES256-SHA:DES-CBC3-SHA"
ssl dh-group group2
ssl ecdh-group group19

 

I found one article which recommended the following commands be applied:

 

ssl server-version tlsv1.2
ssl client-version tlsv1.2
ssl cipher tlsv1.2 high
ssl dh-group group24

 

Would you agree with these changes and what impact if any might there be on the end-user devices.

 

Thank you for any and all advice

Labels:
1 Reply 1

Rob Ingram
VIP
VIP

‎11-10-2020 05:20 AM - edited ‎11-10-2020 09:24 AM

Hi @MattRepko 

Use the command "show vpn-sessiondb ratio encryption" to determine what your client computers are currently negotiating. From there you can determine what they are capable of. Generally if you are running Windows 10, they should be easily capable of supporting more secure algorithms.

 

Your output doesn't list DTLS 1.2, what version of ASA are you running? If running 9.10 or greater you should have DTLS 1.2 which is more secure and has better performance. Normally an anyconnect client will establish a DTLS and TLS tunnel, DTLS will be used as default for data transfer and fall back to TLS if required. You should also use AnyConnect 4.7 or newer to also benefit from more secure and better performance.

 

DH Group 24 is depreciated in newer versions, so I'd recommend DH group 14.

 

HTH

0 Helpful
Customers Also Viewed These Support Documents