CCIE or Null!

My journey to CCIE!

Cisco ASA presents self-signed cert in certain SSL negotiations – CSCuu02848 / CSCuw02001

with one comment

Just kind of a shout-out to those running ASA’s, be careful when you upgrade to v9.4+ or v9.5+, and beyond.

In v9.4+ when the ASA attempts to negotiate an SSL connection it will attempt to use an ECDSA Cipher as part of TLS v1.2 if the client supports Elliptic Curve ciphers. In this situation the ASA will present it’s self-signed certificate regardless of it’s configuration.

You’ve got 2x Options to fix this:

  1. Use an ECDSA Certificate
  2. Disabled ECDSA Cipher with the following command: (Might want to cut-out some of those weaker ciphers)

ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”

Funny thing is, this is mentioned in the v9.4 release notes. However, it is not mentioned in the v9.5 release notes, so if you were to say upgrade from v9.2 or v9.3 and hop directly to v9.5 (A fully supported upgrade path) this could be something that creeps up on you. After all why you read through the release notes of release you are completely skipping!

Direct Link to the bug can be found here.

You can easily verify this by capturing the SSL Negotiation and checking the Client Hello for TLSv1.2 and EC Ciphers:

EC-SSL

Of course the Browser Certificate error will be a dead giveaway but sometimes it’s nice to check.

Do keep in mind though, in order to be affected by this you must be doing the following:

  • SSL Services running the ASA
  • Running v9.4 or beyond
  • Running the default SSL Ciphers for TLSv1.2
  • Be running an RSA only certificate for SSL negotiation.

Happy hunting, I mean Labbing!

Written by Stephen J. Occhiogrosso

November 12, 2015 at 9:00 AM

Posted in ASA

Tagged with , , , ,

One Response

Subscribe to comments with RSS.

  1. It seems that disabling the elliptic curve ciphers isn’t enough for the AnyConnect client to work.

    I’ve got an RA VPN configured using certificate authentication and whenever TLS1.2 is negotiated, the AnyConnect client complains that the user certificate is invalid.

    I can configure the ASA to negotiate unsupported ciphers with the AnyConnect client, forcing it to negotiate TLS1.1 – the certificate is then accepted. However the tunnel doesn’t come up, the client wants to bring it up with TLS1.2 and will NOT negotiate down.

    I’ve currently got a TAC case but they don’t seem to know how to fix it.

    ASA is 9.5(2)2 and AnyConnect 4.2.02075.

    Darren Smith

    March 16, 2016 at 10:09 AM


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: