Unable to run TLS 1.2

sluge · ‎05-18-2020

Unable to run TLS 1.2

Hello,

I'm using Cisco AnyConnect Secure Mobility Client for Windows (Windows 10) v 4.8.

I'm trying to to connect using it to the server with TLS 1.2 but I failed because the VPN client uses only TLS 1.0. This client doesn't have TLS implementation, it uses Windows one.

I did a lot of registry changes to activate TLS 1.2 support on Windows 10:

"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\client\TLS1.0\DisabledByDefault=1, Enabled=0"

"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\client\TLS1.1\DisabledByDefault=1, Enabled=0"

"HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS1.0\client\TLS1.2\DisabledByDefault=0, Enabled=1"

"HKLM\\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols=0xaa0"

"HKEY\LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp\DefaultSecureProtocols=0xaa0"

Don't know what to do more. Is any ready to use fix to enable TLS 1.2?

Rob Ingram · ‎05-18-2020

Hi,
Windows 10 with AnyConnect 4.8 should support TLS 1.2 without modifications.

What version of ASA software are your running? TLS 1.2 was introduced in ASA v9.3, you should aim to run v9.10 or above as DTLS 1.2 was introduced in v9.10 which has better performance than TLS.

Please provide the output of "show run ssl" from the ASA.

HTH

sluge · ‎05-18-2020

>Windows 10 with AnyConnect 4.8 should support TLS 1.2 without modifications. Yes, but it doesn't >What version of ASA software are your running? I don't know, I'm just a user. Now I'm using open connect GUI client, it works OK with TLS-1.2-RSA-AES-126-CBC-SHA1 But the maximum that I could get from "Cisco AnyConnect Secure Mobility Client" is RSA_AES_256_SHA1 Why cisco VPN doesn't support TLS 1.2? Is something wrong with my Windows?

Marvin Rhoads · ‎05-18-2020

Nothing is wrong with your Windows (most likely).

The TLS (and DTLS) versions used are based on a negotiation between the AnyConnect client and ASA headend at the time of connection. As long as you have a relatively current AnyConnect client (4.7 or above), it is capable of TLS and DTLS 1.2. However if the ASA isn't running 9.10 or higher (and reachable via udp/443 for DTLS), its capabilities will be limited to the less secure and efficient versions of TLS.

sluge · ‎05-18-2020

Marvin, Am I right that AnyConnect client for Windows doesn't use Windows TLS, DTLS and other libs but their own like openconnect? The main problem here is that hundreds of other users uses this ASA with AnyConnect client even with Windows 7 and it works Ok. But for me it failed.

Marvin Rhoads · ‎05-19-2020

There could be any number of non-local reasons why your client is failing to negotiate TLS 1.2. It could be a middleware box like a firewall or other gateway between you and the ASA.

You can do a packet capture while connecting and confirm what protocol is being offered by your client and see the reply from the ASA. Look for the 3-way handshake, Client Hello and the Server Hello response.

TLS 1.2 Connection

Unable to run TLS 1.2 for cisco anyconnect VPN client

Unable to run TLS 1.2