Thursday, April 18, 2019

AnyConnect Perfect Forward Secrecy

I am trying to raise my score on SSL Labs for our ASA VPN device (running ASA 9.9(2)), with AnyConnect clients 4.5.03040

The SSL settings are set as follow:

ssl server-version tlsv1.2 ssl cipher default custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA" ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA" 

Would the following work:

ssl server-version tlsv1.2 ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256" ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA" ssl dh-group group14 

From my ASA:

Result of the command: "show ssl ciphers all" These are the ciphers for the given cipher level; not all ciphers are supported by all versions of SSL/TLS. These names can be used to create a custom cipher list ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2) ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2) DHE-RSA-AES256-GCM-SHA384 (tlsv1.2) AES256-GCM-SHA384 (tlsv1.2) ECDHE-ECDSA-AES256-SHA384 (tlsv1.2) ECDHE-RSA-AES256-SHA384 (tlsv1.2) DHE-RSA-AES256-SHA256 (tlsv1.2) AES256-SHA256 (tlsv1.2) ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2) ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2) DHE-RSA-AES128-GCM-SHA256 (tlsv1.2) AES128-GCM-SHA256 (tlsv1.2) ECDHE-ECDSA-AES128-SHA256 (tlsv1.2) ECDHE-RSA-AES128-SHA256 (tlsv1.2) DHE-RSA-AES128-SHA256 (tlsv1.2) AES128-SHA256 (tlsv1.2) DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2) RC4-SHA (tlsv1) RC4-MD5 (tlsv1) DES-CBC-SHA (tlsv1) NULL-SHA (tlsv1) 


No comments:

Post a Comment