cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
922
Views
0
Helpful
1
Replies

Cisco Security Manager (4.9+) with ASA 9.4 ssl_error_no_cypher_overlap

kerstin-534
Level 1
Level 1

Hi,

with ASA Release Interim 9.4.2.6 or ASA 9.5.2+ it is not possible for us to use certificates signed from a custom CA (with RSA encryption).

Public Key Type: RSA (2048 bits)
Signature Algorithm: SHA512 with RSA Encryption

2016-02-23T09:30:23+01:00 fw : %ASA-7-725008: SSL client management:192.168.200.1/65490 to 192.168.200.254/443 proposes the following 65 cipher(s)
2016-02-23T09:30:23+01:00 fw : %ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

We have tried to eleminate the elliptic curve ciphers friends posted at

https://supportforums.cisco.com/discussion/12477336/asa-only-uses-self-signed-certificates-after-upgrade-941

https://supportforums.cisco.com/discussion/12473396/anyconnect-certificate-validation-failure-after-upgrade-93x94

ssl server-version tlsv1.2
ssl cipher tlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher tlsv1.2 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl cipher dtlsv1 custom "AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl trust-point INTERMEDIATECA

The certificate/trustpoint was removed and imported again, applied again, nothing works, CSM/Firefox/Chrome is unable to cummicate "cannot negotiate security level, no shared cipher".

The only way to get this work is to do "no ssl trust-point INTERMEDIATECA", resulting in using a self signed certificate.

Is there some defect / changed behaviour in ASA Release 9.5 that prevents SSL communication with RSA encrypted certificates (the selfsigned certificate is RSA based too)

1 Reply 1

Peter Koltl
Level 7
Level 7

I had a similar problem. I looked at the cipher list the client listed in the logs and added some ECDHE-xxx ciphers to the ASA. It was successful:

ssl cipher default custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1 custom "AES256-SHA:AES128-SHA"
ssl cipher tlsv1.1 custom "DHE-RSA-AES256-SHA:AES256-SHA:AES128-SHA"
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:AES256-SHA:AES128-SHA"
ssl cipher dtlsv1 custom "AES256-SHA:AES128-SHA"

Nov 11 2016 09:39:24: %ASA-6-725001: Starting SSL handshake with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 for TLS session
Nov 11 2016 09:39:24: %ASA-7-725010: Device supports the following 6 cipher(s)
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[2] : ECDHE-ECDSA-AES256-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[3] : ECDHE-RSA-AES256-SHA384
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[4] : ECDHE-ECDSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[5] : AES256-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[6] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725008: SSL client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 proposes the following 53 cipher(s)
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[1] : RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[2] : RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[3] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[6] : DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[7] : EDH-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[8] : EDH-DSS-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[9] : DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[10] : EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[11] : EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[12] : EXP-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[13] : EXP-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[14] : EXP-EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[15] : EXP-EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[16] : ECDHE-ECDSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[17] : ECDHE-RSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[18] : AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[19] : DHE-RSA-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[20] : DHE-DSS-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[21] : ECDHE-ECDSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[22] : ECDHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[23] : AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[24] : DHE-RSA-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[25] : DHE-DSS-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[26] : ECDHE-ECDSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[27] : ECDHE-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[28] : DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[29] : EDH-RSA-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[30] : EDH-DSS-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[31] : ADH-AES128-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[32] : ADH-AES128-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[33] : ADH-DES-CBC3-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[34] : ECDHE-ECDSA-RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[35] : ECDHE-RSA-RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[36] : RC4-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[37] : RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[38] : ADH-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[39] : DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[40] : EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[41] : EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[42] : ADH-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[43] : EXP-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[44] : EXP-ADH-RC4-MD5
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[45] : EXP-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[46] : EXP-EDH-RSA-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[47] : EXP-EDH-DSS-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[48] : EXP-ADH-DES-CBC-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[49] : NULL-SHA256
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[50] : ECDHE-ECDSA-NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[51] : ECDHE-RSA-NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[52] : NULL-SHA
Nov 11 2016 09:39:24: %ASA-7-725011: Cipher[53] : NULL-MD5
Nov 11 2016 09:39:24: %ASA-7-725012: Device chooses cipher ECDHE-ECDSA-AES128-SHA256 for the SSL session with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443
Nov 11 2016 09:39:24: %ASA-6-725016: Device selects trust-point ASA-self-signed for client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443
Nov 11 2016 09:39:24: %ASA-6-725002: Device completed SSL handshake with client Mgmt:10.3.3.187/62631 to 10.3.3.148/8443 for TLSv1.2 session

But in this case we used EC self-signed certificate. For your RSA certificate, you probably need to add ECDHE-RSA-AES128-SHA256 or similar.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: