Saturday, March 9, 2019

Cisco ASA aaa-server, and ssl ciphers

I have a Cisco FP9300 running on code 9.1.7.4. I am having some issues getting ldap over ssl working to my aaa-servers. I've verified certain ciphers work in my lab, but I'm not sure what is best practice as far as what should be used. If I just set all cipher levels to medium it will not negotiate ssl with the aaa-server, and test authentications fail. I have to use custom ciphers to get it to work.

Below is the ssl config, and this currently works. I feel it's secure based on reading, but I'd like to also make sure I'm offering compatibility. There are other combos that work as well. I've found the default cipher setting causes auth to fail if that's not configured to something that the aaa-server supports.

show run ssl ssl server-version tlsv1.2 ssl cipher default custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256" ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256" ssl dh-group group24 ssl ecdh-group group20 show ssl Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater Start connections using TLSv1 and negotiate to TLSv1 or greater SSL DH Group: group24 (2048-bit modulus, 256-bit prime order subgroup, FIPS) SSL ECDH Group: group20 (384-bit EC) show ssl ciphers Current cipher configuration: default (custom): ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 tlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA tlsv1.1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA tlsv1.2 (custom): ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-SHA256 dtlsv1 (medium): DHE-RSA-AES256-SHA AES256-SHA DHE-RSA-AES128-SHA AES128-SHA 



No comments:

Post a Comment