Configuring Cisco ASA SSL Ciphers
by Andrew Kroh
To protect against SSL vulnerabilities it is important to disable SSLv3 and weak ciphers on your cisco ASA device.
To enumerate the ciphers supported by the device I use an openssl wrapper script called cipherscan that is available on github. On a default Cisco ASA setup here is what ciphers are available.
bash-4.3$ ./cipherscan sslvpn.example.com
.......
Target: sslvpn.example.com:443
prio ciphersuite protocols pfs_keysize
1 RC4-SHA SSLv3,TLSv1
2 DHE-RSA-AES128-SHA TLSv1 DH,1024bits
3 DHE-RSA-AES256-SHA TLSv1 DH,1024bits
4 AES128-SHA SSLv3,TLSv1
5 AES256-SHA SSLv3,TLSv1
6 DES-CBC3-SHA SSLv3,TLSv1
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
To change the supported protocols and ciphers, login to the Cisco ASA via SSH.
You can list the current SSL configuration with show ssl
and then make the required changes.
You should disable SSLv3 due to the POODLE vulnerability. And you should verify that you are using strong ciphers. I prefer to use ciphers that support PFS, but the Cisco AnyConnect IOS app for the SSL VPN does not support the PFS ciphers so I had to include aes256-sha1 and aes128-sha1.
asa5505(config)# ssl client-version tlsv1-only
asa5505(config)# ssl server-version tlsv1
asa5505(config)# ssl encryption dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
asa5505# show ssl
Accept connections using SSLv2 or greater and negotiate to TLSv1
Start connections using TLSv1 only and negotiate to TLSv1 only
Enabled cipher order: dhe-aes256-sha1 dhe-aes128-sha1 aes256-sha1 aes128-sha1
And finally verify the changes using cipherscan.
bash-4.3$ ./cipherscan sslvpn.example.com
...
Target: sslvpn.example.com:443
prio ciphersuite protocols pfs_keysize
1 DHE-RSA-AES256-SHA TLSv1 DH,1024bits
2 DHE-RSA-AES128-SHA TLSv1 DH,1024bits
3 AES256-SHA TLSv1
4 AES128-SHA TLSv1
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Server side cipher ordering
Subscribe via RSS