04-10-2024 02:39 PM - edited 04-11-2024 07:45 AM
Hello,
When configuring SSL VPN, the default encryption type is "ssl server-version tlsv1.2 dtlsv1.2", which only shows up with a "show run all". In that output, I can also see that "ssl cipher tlsv1.2 medium" and "ssl cipher dtlsv1.2 medium" are displayed even though I have "fips enable" configured. Which encryption types are being used, the FIPS ones or the medium ones?
Thanks in advance!
04-10-2024 11:07 PM
show ssl ciphers <all/low/medium/high/fips>
Do above command and you can see cipher allow for each level.
MHM
04-11-2024 03:36 AM
When you have FIPS (Federal Information Processing Standards) enabled on your SSL VPN configuration, it enforces the use of FIPS-compliant encryption algorithms. In your case, even though "ssl cipher tlsv1.2 medium" and "ssl cipher dtlsv1.2 medium" are displayed in the output, the FIPS configuration takes precedence.
The "fips" option ensures that only FIPS-compliant ciphers are used, excluding non-compliant ones like NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA. So the appearance of "medium" in the output, the ASA will prioritize FIPS-compliant ciphers when establishing SSL VPN connections.
In essence, when FIPS is enabled, the ASA prioritizes FIPS-compliant encryption for SSL VPN connections, following the specifications set by the "fips" option, regardless of the "medium" setting displayed in the output. hope this helps.
04-11-2024 06:52 AM
Hello Sheras.Salim,
Thanks for your response. As a test, I ran 'show ssl ciphers' before and after configuring 'fips enable'. Based on what you wrote, I thought the lists would be different, I thought that only FIPS supported ciphers would be listed with FIPS enabled. However, the two lists are the same. How can I verify that only FIPS supported ciphers are being used?
Thanks in advance!
FIPS not enabled
firewall# show ssl ciphers
Current cipher configuration:
default (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
FIPS enabled
firewall# show ssl ciphers
Current cipher configuration:
default (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
tlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1 (medium):
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
dtlsv1.2 (medium):
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
DHE-RSA-AES256-GCM-SHA384
AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
DHE-RSA-AES256-SHA256
AES256-SHA256
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
AES128-GCM-SHA256
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
DHE-RSA-AES128-SHA256
AES128-SHA256
DHE-RSA-AES256-SHA
AES256-SHA
DHE-RSA-AES128-SHA
AES128-SHA
04-11-2024 07:02 AM
Run level low
Then show before fips and after fips
I think the cipher are not allow when fips enable in level low not medium.
MHM
04-15-2024 08:08 AM - edited 04-15-2024 08:12 AM
Hello MHM,
I removed FIPS from my config and set each of the SSL ciphers to "low". When I ran "show ssl ciphers" as you suggested, each of the SSL ciphers includes DES-CBC3-SHA (non-FIPS compliant). When I set each of the ciphers to medium, DES-CBC3-SHA is removed from the "show ssl ciphers" output.
I then added FIPS to my config and set each of the SSL ciphers to "low". I ran "show ssl ciphers" again, as you suggested, and each of the SSL ciphers includes DES-CBC3-SHA (non-FIPS compliant). When I set each of the ciphers to medium, DES-CBC3-SHA is removed from the "show ssl ciphers" output.
So, having FIPS enabled doesn't seem to have an effect on whether DES-CBC3-SHA is included or not when the SSL ciphers are set to "low". For the record, I rebooted my ASA each time I turned FIPS off or on per ASDM's guidance.
By the way, there's no difference in "show ssl ciphers" output between "medium" and "fips". I'm not sure why "fips" is offered as a choice when there's no difference...
04-15-2024 08:13 AM
Fips includes all FIPS-compliant ciphers, except NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA.
MHM
04-15-2024 08:17 AM
Hello MHM,
That link also suggests that there's no difference between "medium" and "fips". Strange that Cisco included both options with the ciphers being the same...
Thanks!
04-11-2024 07:07 AM
It's interesting to note that the output of "show ssl ciphers" remains the same even after enabling FIPS. However, this doesn't necessarily mean that FIPS isn't being enforced. To verify whether only FIPS-supported ciphers are being used, you can analyze the handshake messages during SSL VPN connections to ensure that the negotiated cipher suites comply with FIPS standards.
04-16-2024 05:22 AM
FIPS 140-2 and 3 are just standards that require minimum ciphers to be enabled. I wouldn't be surprised if those ciphers match a template on the firewalls as shown in your case. However, please note that enabling FIPS doesn't only imply having the set of ciphers, instead it could part of the pre-reqs to be compliant for CC or UCAPL.
04-16-2024 06:57 AM
Hello Aref,
Thanks for your post. I naively assumed that enabling FIPS would ensure that the ASA would only use FIPS approved ciphers. My testing with "fips enable" and ssl cipher levels, low and medium, demonstrated that just enabling FIPS doesn't remove non-fips ciphers. Turns out, the ssl cipher levels include low, medium, fips, and high. So, whatever the fips global setting does, it isn't all inclusive.
04-17-2024 02:55 AM
Hi Robert,
Could you please try to run a scan on the firewall outside interface with FIPS enabled and check what the result would be? you can use SSL Server Test (Powered by Qualys SSL Labs) for that, it's free.
04-17-2024 04:42 AM
Hey @Aref Alsouqi I have found this Link it could be helpful for the Robert. But your provided link is also a good link too. Hope this provide link will be helpful.
04-17-2024 05:40 AM
Hello Aref,
That link is easily the best thing I've seen on the Internet in a long while. Wow! That's an awesome tool! Thanks!
04-17-2024 06:09 AM
You're very welcome Robert : - D.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide