Disable Weak Cipher

sahrizal123 · ‎12-10-2017

Hi,

Based on result penetratiion test i have to disable weak cipher on ASA cisco 5516.

SSL weak cipher
Recomend disable : TLS_RSA_WITH_3DES_EDE_CBC_SHA , TLS_RSA_WITH_RC4_128_MD5, TLS_RSA_WITH_RC4_128_SHA

May i know the command to disable and the impact disable the SSL above.

Francesco Molino · ‎12-10-2017

Hi

You can use ssl cipher command:
https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/200150-Cisco-Guide-to-Harden-Cisco-ASA-Firewall.html

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Marvin Rhoads · ‎12-10-2017

I use the following commands (along the lines of what's explained in the link provided by Francesco):

ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA;AES128-SHA256"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384;AES256-SHA"

Note that if you use ASDM your Java will need to have the JCE strong crypto libraries to be able to connect to the ASA following implementation of that hardening configuration.

That's about the only impact unless you have clients with VERY old browsers trying to use your SSL VPN portal on thee ASA. Any relatively modern browser (i.e. from the last 3-4 years onward) should connect with no issue.

Karsten Iwen · ‎12-12-2017

In addition to Francescos and Marvins input, I recently started for many customers to disable TLS1.0 and 1.1 completely. And for TLS1.2 I only allow the high security ciphers. That won't work in every environment, but with actual client-software there is no problem.