cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
129
Views
10
Helpful
1
Replies
Highlighted

Weak cipher suites for VPN

Hello, 

I use ASAv v9.12.3 for vpn handling.

I tested the certificate in the ssllabs.com and I got a score I do not like!!

It says among others that the cipher suites are weak and to disable them. 

 

TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 256
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 (0xc027) ECDH secp256r1 (eq. 3072 bits RSA) FS WEAK 128

 

I would like to ask what cipher suites I should use in their place?

Is there a recommendation?

 

When I change them in the ASDM will there be an impact on the connected users?

 

Thanks and regards, 

Konstantinos

1 REPLY 1
Highlighted
VIP Advisor

Re: Weak cipher suites for VPN

Hi,

The AES-GCM ciphers are more secure than AES-CBC, you should probably also consider using only TLS 1.2 and DTLS 1.2 (DTLS 1.2 requires AnyConnect 4.7+) as well. You would need to use a custom cipher list as the default tlsv1.2 "high" list contains the ciphers you do not wish to use.

 

ssl server-version tlsv1.2 dtlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"
ssl cipher dtlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 AES256-GCM-SHA384"

If you need to back out, then preprend "no" and repeat the above commands.

 

Before making the change, use the command show vpn-sessiondb ratio encryption and work out what encryption protocol your clients have currently connected using.

 

image.png

 

Make sure you are using at least AnyConnect 4.7, ideally 4.8 - determine this before you make the changes. If your client computers are using Windows 10 and AnyConnect 4.7/4.8, they are probably already connecting using AES-GCM as this is default, so you shouldn't have any issue changing the ciphers. 

 

If you have trouble connnecting to ASDM after changing the ciphers, upgrade your java version - as your current version may not support TLS1.2.

 

Refer to this best practices guide for more information.

 

HTH