CCIE or Null!

Just kind of a shout-out to those running ASA’s, be careful when you upgrade to v9.4+ or v9.5+, and beyond.

In v9.4+ when the ASA attempts to negotiate an SSL connection it will attempt to use an ECDSA Cipher as part of TLS v1.2 if the client supports Elliptic Curve ciphers. In this situation the ASA will present it’s self-signed certificate regardless of it’s configuration.

You’ve got 2x Options to fix this:

1. Use an ECDSA Certificate
2. Disabled ECDSA Cipher with the following command: (Might want to cut-out some of those weaker ciphers)

ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”

Funny thing is, this is mentioned in the v9.4 release notes. However, it is not mentioned in the v9.5 release notes, so if you were to say upgrade from v9.2 or v9.3 and hop directly to v9.5 (A fully supported upgrade path) this could be something that creeps up on you. After all why you read through the release notes of release you are completely skipping!

Direct Link to the bug can be found here.

You can easily verify this by capturing the SSL Negotiation and checking the Client Hello for TLSv1.2 and EC Ciphers:

Of course the Browser Certificate error will be a dead giveaway but sometimes it’s nice to check.

Do keep in mind though, in order to be affected by this you must be doing the following:

• SSL Services running the ASA
• Running v9.4 or beyond
• Running the default SSL Ciphers for TLSv1.2
• Be running an RSA only certificate for SSL negotiation.

Happy hunting, I mean Labbing!