LTLnetworker | IT hálózatok, biztonság, Cisco

               IT networks, security, Cisco

«
»

TLS Experiences with Elliptic Curve Algorithms on Cisco ASA

Posted by LTLnetworker on December 18, 2016


Elliptic Curve Cryptography (ECC) is a newer approach to public cryptography. EC algorithms were introduced in NSA Suite B. Cisco uses the broad term Next Generation Encryption (NGE) for Suite B. Why are elliptic curve keys and such certificates important? As the use of elliptic curve keys are more efficient than RSA keys, it is expected that elliptic keys will gain popularity. (However, there are some intentions of replacing Suite B with an even newer CNSA Suite which contains even stronger ECDH and ECDSA algorithms.) EC algorithms are capable of providing the same level of cryptographic strength using shorter key length than RSA keys.

Elliptic curve TLS ciphers and certificates are supported from

  • ASA version 9.4(1)
  • Windows 7
  • Windows 2008 Server

An X.509 certificate contains either an RSA public key or an EC public key. In this article the usage in TLS communication is investigated.

When a Cisco ASA provides TLS/SSL services, ASA (TLS server) shows its certificate to the TLS client. The application can be a plain browser for administrative HTTPS access or for the clientless SSL portal. In this case, you can view the server certificate in the browser and inspect its content. If the certificate is trusted, the browser accepts it. If not, the browser gives a trust warning.

In addition, AnyConnect client also uses TLS (and DTLS) to connect. It is not very simple to check the server certificate from the client side. But it is easy to notice if the server certificate is not trusted as AnyConnect has a setting “Block untrusted servers”. You are not able to connect if this setting is active and the certificate is untrusted. Even if the tick is removed from the checkbox and you allow untrusted servers, AnyConnect will pop up a warning window.

Both the firewall and the client application has a list of supported TLS ciphers. Both parties has some configured or built-in cipher preference and order. The two parties agree on a cipher to use during TLS negotiation. ASA CLI SSL commands such as show ssl and show run ssl print information on the usable ciphers and certificates:

asa5506(config-webvpn)# show ssl

Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater

Start connections using TLSv1 and negotiate to TLSv1 or greater

SSL DH Group: group2 (1024-bit modulus)

SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:

  Self-signed (RSA 2048 bits RSA-SHA256) certificate available

  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available

  Interface demo-inside: DC1-EC (EC 521 bits RSA-SHA1)

  Interface outside: DC1-EC-out (EC 521 bits RSA-SHA1)

Certificate authentication is not enabled

asa5506(config-webvpn)# show ssl ciphers

Current cipher configuration:

default (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

  ECDHE-ECDSA-AES128-SHA256

  ECDHE-RSA-AES128-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1.1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1.2 (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

  ECDHE-ECDSA-AES128-SHA256

  ECDHE-RSA-AES128-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

dtlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

asa5506(config-webvpn)# show ssl ciphers all

These are the ciphers for the given cipher level; not all ciphers

are supported by all versions of SSL/TLS.

These names can be used to create a custom cipher list

  ECDHE-ECDSA-AES256-GCM-SHA384 (tlsv1.2)

  ECDHE-RSA-AES256-GCM-SHA384 (tlsv1.2)

  DHE-RSA-AES256-GCM-SHA384 (tlsv1.2)

  AES256-GCM-SHA384 (tlsv1.2)

  ECDHE-ECDSA-AES256-SHA384 (tlsv1.2)

  ECDHE-RSA-AES256-SHA384 (tlsv1.2)

  DHE-RSA-AES256-SHA256 (tlsv1.2)

  AES256-SHA256 (tlsv1.2)

  ECDHE-ECDSA-AES128-GCM-SHA256 (tlsv1.2)

  ECDHE-RSA-AES128-GCM-SHA256 (tlsv1.2)

  DHE-RSA-AES128-GCM-SHA256 (tlsv1.2)

  AES128-GCM-SHA256 (tlsv1.2)

  ECDHE-ECDSA-AES128-SHA256 (tlsv1.2)

  ECDHE-RSA-AES128-SHA256 (tlsv1.2)

  DHE-RSA-AES128-SHA256 (tlsv1.2)

  AES128-SHA256 (tlsv1.2)

  DHE-RSA-AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES256-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DHE-RSA-AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  AES128-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  DES-CBC3-SHA (tlsv1, tlsv1.1, dtlsv1, tlsv1.2)

  RC4-SHA (tlsv1)

  RC4-MD5 (tlsv1)

  DES-CBC-SHA (tlsv1)

  NULL-SHA (tlsv1)

asa5506(config-webvpn)#

The 2nd component of the cipher name contains the digital signature algorithm and it is a clear sign whether ECC or RSA keys and algorithms are selected. Finally, the ASA chooses the trustpoint with a matching certificate type. Here is an example: in this cipher

ECDHE-ECDSA-AES256-GCM-SHA384

ECDSA stands for Elliptic Curve Digital Signature Algorithm.

Usually there is a single certificate assigned to the firewall’s public interface. It is preferably a commercial certificate so that any standard client (also those belonging to external companies) trusts it and they are not encounter ‘untrusted server’ error messages. This certificate is either RSA or EC-based so it cannot be universal with regard to the key type. Therefore in this example an elliptic certificate should be presented by the ASA. What happens if the single certificate bound to the outside interface is RSA-based? The firewall takes a self-signed ECC certificate that the client probably will not like very much. This provisory certificate is of course not trusted by the client. This was a common issue when companies started to upgrade to ASA 9.4(1) software as it prefers EC ciphers. You should make sure that no ECDSA ciphers will be negotiated if you do not have an EC certificate. (On the other hand, if your single certificate is EC, then you should prevent the choice of RSA ciphers.) When this issue occurred in several systems, forums usually contained this simple workaround of restricting the ciphers to the following:

ssl cipher tlsv1 custom “AES128-SHA:AES256-SHA:DES-CBC3-SHA”
ssl cipher tlsv1.1 custom “AES128-SHA:AES256-SHA:DES-CBC3-SHA”
ssl cipher tlsv1.2 custom “AES128-SHA:AES256-SHA:DES-CBC3-SHA”
ssl cipher dtlsv1 custom “AES128-SHA:AES256-SHA:DES-CBC3-SHA”

There is a registered bug for this problematic setting here. The changed behavior is mentioned right on the top of 9.4(1) Release Notes.  Cisco chose to hide EC ciphers in the ‘fixed’ versions: 9.4(3), 9.5(2), 9.6(1). However, if you work with such a fixed version, you may have wondered if the EC ciphers are available at all as the ssl commands to not show them:

asa5506# show ssl ciphers

Current cipher configuration:

default (medium):

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1.1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

tlsv1.2 (medium):

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  DHE-RSA-AES128-SHA256

  AES128-SHA256

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

dtlsv1 (medium):

  DHE-RSA-AES256-SHA

  AES256-SHA

  DHE-RSA-AES128-SHA

  AES128-SHA

  DES-CBC3-SHA

Although not clearly documented, the

webvpn

  no anyconnect-essentials

command unlocks the ECDSA ciphers:

asa5506(config-webvpn)# show ssl ciphers

Current cipher configuration:

default (medium):

  ECDHE-ECDSA-AES256-GCM-SHA384

  ECDHE-RSA-AES256-GCM-SHA384

  DHE-RSA-AES256-GCM-SHA384

  AES256-GCM-SHA384

  ECDHE-ECDSA-AES256-SHA384

  ECDHE-RSA-AES256-SHA384

  DHE-RSA-AES256-SHA256

  AES256-SHA256

  ECDHE-ECDSA-AES128-GCM-SHA256

  ECDHE-RSA-AES128-GCM-SHA256

  DHE-RSA-AES128-GCM-SHA256

  AES128-GCM-SHA256

Let’s see the process when a Windows AnyConnect client connects to the ASA that has an EC certificate:

asa5506# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group2 (1024-bit modulus)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
Self-signed (RSA 2048 bits RSA-SHA256) certificate available
Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Interface demo-inside: DC1-EC (EC 521 bits RSA-SHA1)
  Interface outside: DC1-EC-out (EC 521 bits RSA-SHA1)
Certificate authentication is not enabled
asa5506# show run ssl
ssl trust-point DC1-EC demo-inside
ssl trust-point DC1-EC-out outside

Dec 12 2016 20:26:27: %ASA-6-302013: Built inbound TCP connection 3293 for outside:89.135.x.x/59675 (89.135.x.x/59675) to identity:a.b.c.d/443 (a.b.c.d/443)

Dec 12 2016 20:26:27: %ASA-6-725001: Starting SSL handshake with client outside:89.135.x.x/59675 to a.b.c.d/443 for TLS session

Dec 12 2016 20:26:27: %ASA-7-725010: Device supports the following 21 cipher(s)

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[8] : AES256-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[12] : AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[16] : AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[17] : DHE-RSA-AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[18] : AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[20] : AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[21] : DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725008: SSL client outside:89.135.x.x/59675 to a.b.c.d/443 proposes the following 35 cipher(s)

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[1] : ECDHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[4] : ECDHE-ECDSA-AES256-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[5] : ECDHE-RSA-AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[7] : DHE-DSS-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[8] : DHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[9] : DHE-RSA-AES256-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[10] : DHE-DSS-AES256-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[11] : DHE-RSA-AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[12] : DHE-DSS-AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[13] : AES256-GCM-SHA384

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[14] : AES256-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[15] : AES256-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[16] : ECDHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[17] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[18] : ECDHE-RSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[19] : ECDHE-ECDSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[20] : ECDHE-RSA-AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[22] : DHE-DSS-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[23] : DHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[24] : DHE-RSA-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[25] : DHE-DSS-AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[26] : DHE-RSA-AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[27] : DHE-DSS-AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[28] : AES128-GCM-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[29] : AES128-SHA256

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[30] : AES128-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[31] : ECDHE-RSA-DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[32] : ECDHE-ECDSA-DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[33] : EDH-RSA-DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[34] : EDH-DSS-DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725011: Cipher[35] : DES-CBC3-SHA

Dec 12 2016 20:26:27: %ASA-7-725012: Device chooses cipher ECDHE-ECDSA-AES256-GCM-SHA384 for the SSL session with client outside:89.135.x.x/59675 to a.b.c.d/443

Dec 12 2016 20:26:27: %ASA-6-725016: Device selects trust-point DC1-EC-out for client outside:89.135.x.x/59675 to a.b.c.d/443

Dec 12 2016 20:26:27: %ASA-6-725002: Device completed SSL handshake with client outside:89.135.x.x/59675 to a.b.c.d/443 for TLSv1.2 session

The cipher matches the certificate type so ASA is able to provide the EC certificate. AnyConnect signals no trust failure.

The next test is an AnyConnect connection from an Android mobile phone (AnyConnect 4.0.05057):

Dec 12 2016 20:40:40: %ASA-6-302013: Built inbound TCP connection 3307 for outside:89.135.x.x/46374 (89.135.x.x/46374) to identity:a.b.c.d/443 (a.b.c.d/443)

Dec 12 2016 20:40:41: %ASA-6-725001: Starting SSL handshake with client outside:89.135.x.x/46374 to a.b.c.d/443 for TLS session

Dec 12 2016 20:40:41: %ASA-7-725010: Device supports the following 21 cipher(s)

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[8] : AES256-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[12] : AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[16] : AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[17] : DHE-RSA-AES256-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[18] : AES256-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[20] : AES128-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[21] : DES-CBC3-SHA

Dec 12 2016 20:40:41: %ASA-7-725008: SSL client outside:89.135.x.x/46374 to a.b.c.d/443 proposes the following 21 cipher(s)

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[8] : AES256-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[12] : AES128-GCM-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[16] : AES128-SHA256

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[17] : DHE-RSA-AES256-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[18] : AES256-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[20] : AES128-SHA

Dec 12 2016 20:40:41: %ASA-7-725011: Cipher[21] : DES-CBC3-SHA

Dec 12 2016 20:40:41: %ASA-7-725012: Device chooses cipher ECDHE-ECDSA-AES256-GCM-SHA384 for the SSL session with client outside:89.135.x.x/46374 to a.b.c.d/443

Dec 12 2016 20:40:41: %ASA-6-725016: Device selects trust-point DC1-EC-out for client outside:89.135.x.x/46374 to a.b.c.d/443

Seemingly, the client lands on the right trustpoint and is provided with the EC (trusted) certificate. But there is an error message on the smartphone:

Untrusted VPN Server

Apparently Android AnyConnect 4.0.05057 had a bug with EC certificate trust. Some weeks later my AnyConnect updated itself to 4.0.05062 and the bug seems to be fixed. After the same connect operation and similar logs (Device selects trust-point DC1-EC-out). AnyConnect Android is now satisfied with the received certificate.

An improperly chosen cipher set can cause other surprises. I was asked to troublehoot a Cisco Security Manager which was unable to add an ASA device. HTTPS connectivity test failed in CSM. I found these settings and logs in the ASA:

asa1/xxxx.local# show run ssl

ssl cipher default custom “RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA”

ssl cipher tlsv1 custom “RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA”

ssl cipher dtlsv1 custom “RC4-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA”

Nov 11 2016 09:19:23: %ASA-6-302013: Built inbound TCP connection 329182 for Mgmt:10.3.3.187/60940 (10.3.3.187/60940) to identity:10.3.3.148/8443 (10.3.3.148/8443)

Nov 11 2016 09:19:23: %ASA-6-725001: Starting SSL handshake with client Mgmt:10.3.3.187/60940 to 10.3.3.148/8443 for TLS session

Nov 11 2016 09:19:23: %ASA-7-725010: Device supports the following 4 cipher(s)

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[1] : RC4-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[2] : AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[3] : AES256-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[4] : DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725008: SSL client Mgmt:10.3.3.187/60940 to 10.3.3.148/8443 proposes the following 53 cipher(s)

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[1] : RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[2] : RC4-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[3] : AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[6] : DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[9] : DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[12] : EXP-RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[17] : ECDHE-RSA-AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[18] : AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[20] : DHE-DSS-AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[22] : ECDHE-RSA-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[23] : AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[24] : DHE-RSA-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[25] : DHE-DSS-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[26] : ECDHE-ECDSA-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[27] : ECDHE-RSA-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[28] : DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[29] : EDH-RSA-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[30] : EDH-DSS-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[31] : ADH-AES128-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[32] : ADH-AES128-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[33] : ADH-DES-CBC3-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[34] : ECDHE-ECDSA-RC4-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[35] : ECDHE-RSA-RC4-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[36] : RC4-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[37] : RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[38] : ADH-RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[39] : DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[40] : EDH-RSA-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[41] : EDH-DSS-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[42] : ADH-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[43] : EXP-RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[44] : EXP-ADH-RC4-MD5

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[45] : EXP-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[46] : EXP-EDH-RSA-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[47] : EXP-EDH-DSS-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[48] : EXP-ADH-DES-CBC-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[49] : NULL-SHA256

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[50] : ECDHE-ECDSA-NULL-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[51] : ECDHE-RSA-NULL-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[52] : NULL-SHA

Nov 11 2016 09:19:23: %ASA-7-725011: Cipher[53] : NULL-MD5

Nov 11 2016 09:19:23: %ASA-7-725012: Device chooses cipher RC4-SHA for the SSL session with client Mgmt:10.3.3.187/60940 to 10.3.3.148/8443

Nov 11 2016 09:19:23: %ASA-7-725014: SSL lib error. Function: SSL3_ACCEPT Reason: setup crypto context failed

Nov 11 2016 09:19:23: %ASA-6-725006: Device failed SSL handshake with client Mgmt:10.3.3.187/60940 to 10.3.3.148/8443

Nov 11 2016 09:19:23: %ASA-6-302014: Teardown TCP connection 329182 for Mgmt:10.3.3.187/60940 to identity:10.3.3.148/8443 duration 0:00:00 bytes 0 TCP Reset by appliance

Cisco Bug Search revealed that this error is caused by the chosen RC4 cipher which is unsupported by TLS v1.1 or v1.2. (CSCuw85968) The solution was to remove RC4-SHA from the TLSv1.2 cipher list.

Let’s examine the case when both an RSA and an EC certificate is present on ASA and assigned to the outside interface. AnyConnect Android shows no ‘Untrust’ error and connects normally with an EC cipher. The EC certificate is chosen for the communication.

asa5506(config)# show run ssl | i outside

ssl trust-point DC1-RSA-out outside

ssl trust-point DC1-EC-out outside

asa5506(config)# show ssl

Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater

Start connections using TLSv1 and negotiate to TLSv1 or greater

SSL DH Group: group2 (1024-bit modulus)

SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:

  Self-signed (RSA 2048 bits RSA-SHA256) certificate available

  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available

  Interface demo-inside: DC1-EC (EC 521 bits RSA-SHA1)

  Interface outside: DC1-RSA-out (RSA 4096 bits RSA-SHA1)

  Interface outside: DC1-EC-out (EC 521 bits RSA-SHA1)

Certificate authentication is not enabled

Dec 17 2016 17:13:13: %ASA-6-302013: Built inbound TCP connection 8512 for outside:89.135.x.x/60831 (89.135.x.x/60831) to identity:a.b.c.d/443 (a.b.c.d/443)

Dec 17 2016 17:13:13: %ASA-6-725001: Starting SSL handshake with client outside:89.135.x.x/60831 to a.b.c.d/443 for TLS session

Dec 17 2016 17:13:13: %ASA-7-725010: Device supports the following 21 cipher(s)

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[8] : AES256-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[12] : AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[16] : AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[17] : DHE-RSA-AES256-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[18] : AES256-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[20] : AES128-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[21] : DES-CBC3-SHA

Dec 17 2016 17:13:13: %ASA-7-725008: SSL client outside:89.135.x.x/60831 to a.b.c.d/443 proposes the following 21 cipher(s)

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[4] : AES256-GCM-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[8] : AES256-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[9] : ECDHE-ECDSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[10] : ECDHE-RSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[11] : DHE-RSA-AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[12] : AES128-GCM-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[13] : ECDHE-ECDSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[14] : ECDHE-RSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[15] : DHE-RSA-AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[16] : AES128-SHA256

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[17] : DHE-RSA-AES256-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[18] : AES256-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[20] : AES128-SHA

Dec 17 2016 17:13:13: %ASA-7-725011: Cipher[21] : DES-CBC3-SHA

Dec 17 2016 17:13:13: %ASA-7-725012: Device chooses cipher ECDHE-ECDSA-AES256-GCM-SHA384 for the SSL session with client outside:89.135.x.x/60831 to a.b.c.d/443

Dec 17 2016 17:13:13: %ASA-6-725016: Device selects trust-point DC1-EC-out for client outside:89.135.x.x/60831 to a.b.c.d/443

Dec 17 2016 17:13:14: %ASA-6-725002: Device completed SSL handshake with client outside:89.135.x.x/60831 to a.b.c.d/443 for TLSv1.2 session

These software versions were used in the tests:

AnyConnect Android  4.0.05057, 4.0.05062
ASA  9.6(2)3 asa962-3-lfbff-k8.SPA
ASDM 7.6(2)150
AnyConnect Windows  4.3.03086

This entry was posted on December 18, 2016 at 23:20 and is filed under ASA, Cisco. Tagged: , , , , , . You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

3 Responses to “TLS Experiences with Elliptic Curve Algorithms on Cisco ASA”

  1. Ben Personick said

    November 19, 2018 at 17:11

    About the Anyconnect Essentials disable being required to enable the newer TLS, its a complete Shame on Cisco that they are trying to force users to purchase premium Anyconnect licenses or suffer all of their https interfaces to the ASA including the VPN to be flawed.

    It isn’t even as if the Anyconnect VPN client was different between the two versions, in fact, it’s the same executable running, so the limitation is entirely on the ASA side. We have primary VPNs for users which allow essentials because we need to increase the number of connections available, but we leave it disabled on the backup VPN where we only need a couple of concurrent sessions for use VPNs and the same client connects to both without issue.

    Essentially, Cisco just arbitrarily decided to let Anyconnect essentials die-out by imposing a false limit on them that also break’s the ASA’s security for ASDM and APIs used to manage the device as well.

    Reply

    • Ben Personick said

      November 19, 2018 at 17:16

      Also, FWIW I have been checking back and hoping Cisco would amend this since I figured out their game a few years ago, and from what I can tell they still don’t care to do what should amount to a flip of flag on the ASA to mitigate the impact to security for their customers because they hope to make a few dollars moving people to premium licenses because the free version can no longer be used securely, and they don’t care that it impacts the device’s management security or usability at all.

      Reply

    • ltlnetworker said

      August 29, 2019 at 11:21

      If you have AnyConnect Plus license (roughly corresponds to old Essentials) the above step does not imply that the Essentials or Plus license is unusable. It is just a configuration step and does not affect the license or licensed functions.

      Reply

Leave a comment

«
»