SSL VPN Encryption Type/s?

robertramsey · ‎04-10-2024

Hello,

When configuring SSL VPN, the default encryption type is "ssl server-version tlsv1.2 dtlsv1.2", which only shows up with a "show run all". In that output, I can also see that "ssl cipher tlsv1.2 medium" and "ssl cipher dtlsv1.2 medium" are displayed even though I have "fips enable" configured. Which encryption types are being used, the FIPS ones or the medium ones?

According to the ASA Command Reference Page, the SSL Cipher command specifies the strength of the cipher and indicates the minimum level of ciphers that are supported. Valid values in increasing order of strength are:

all —Includes all ciphers, including NULL-SHA.
low —Includes all ciphers except NULL-SHA.
medium —Includes all ciphers except NULL-SHA, DES-CBC-SHA, and RC4-MD5.
fips —Includes all FIPS-compliant ciphers (excludes NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA.
high (applies only to TLSv1.2)—Includes only AES-256 with SHA-2 ciphers.

Thanks in advance!

MHM Cisco World · ‎04-10-2024

show ssl ciphers <all/low/medium/high/fips>

Do above command and you can see cipher allow for each level.

MHM

Sheraz.Salim · ‎04-11-2024

When you have FIPS (Federal Information Processing Standards) enabled on your SSL VPN configuration, it enforces the use of FIPS-compliant encryption algorithms. In your case, even though "ssl cipher tlsv1.2 medium" and "ssl cipher dtlsv1.2 medium" are displayed in the output, the FIPS configuration takes precedence.

The "fips" option ensures that only FIPS-compliant ciphers are used, excluding non-compliant ones like NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA. So the appearance of "medium" in the output, the ASA will prioritize FIPS-compliant ciphers when establishing SSL VPN connections.

In essence, when FIPS is enabled, the ASA prioritizes FIPS-compliant encryption for SSL VPN connections, following the specifications set by the "fips" option, regardless of the "medium" setting displayed in the output. hope this helps.

please do not forget to rate.

robertramsey · ‎04-11-2024

Hello Sheras.Salim,

Thanks for your response. As a test, I ran 'show ssl ciphers' before and after configuring 'fips enable'. Based on what you wrote, I thought the lists would be different, I thought that only FIPS supported ciphers would be listed with FIPS enabled. However, the two lists are the same. How can I verify that only FIPS supported ciphers are being used?

Thanks in advance!

FIPS not enabled

firewall# show ssl ciphers
Current cipher configuration:
default (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA

FIPS enabled

firewall# show ssl ciphers
Current cipher configuration:
default (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
tlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1 (medium):
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA
dtlsv1.2 (medium):
  ECDHE-ECDSA-AES256-GCM-SHA384
  ECDHE-RSA-AES256-GCM-SHA384
  DHE-RSA-AES256-GCM-SHA384
  AES256-GCM-SHA384
  ECDHE-ECDSA-AES256-SHA384
  ECDHE-RSA-AES256-SHA384
  DHE-RSA-AES256-SHA256
  AES256-SHA256
  ECDHE-ECDSA-AES128-GCM-SHA256
  ECDHE-RSA-AES128-GCM-SHA256
  DHE-RSA-AES128-GCM-SHA256
  AES128-GCM-SHA256
  ECDHE-ECDSA-AES128-SHA256
  ECDHE-RSA-AES128-SHA256
  DHE-RSA-AES128-SHA256
  AES128-SHA256
  DHE-RSA-AES256-SHA
  AES256-SHA
  DHE-RSA-AES128-SHA
  AES128-SHA

MHM Cisco World · ‎04-11-2024

Run level low

Then show before fips and after fips

I think the cipher are not allow when fips enable in level low not medium.

MHM

robertramsey · ‎04-15-2024

Hello MHM,

I removed FIPS from my config and set each of the SSL ciphers to "low". When I ran "show ssl ciphers" as you suggested, each of the SSL ciphers includes DES-CBC3-SHA (non-FIPS compliant). When I set each of the ciphers to medium, DES-CBC3-SHA is removed from the "show ssl ciphers" output.

I then added FIPS to my config and set each of the SSL ciphers to "low". I ran "show ssl ciphers" again, as you suggested, and each of the SSL ciphers includes DES-CBC3-SHA (non-FIPS compliant). When I set each of the ciphers to medium, DES-CBC3-SHA is removed from the "show ssl ciphers" output.

So, having FIPS enabled doesn't seem to have an effect on whether DES-CBC3-SHA is included or not when the SSL ciphers are set to "low". For the record, I rebooted my ASA each time I turned FIPS off or on per ASDM's guidance.

By the way, there's no difference in "show ssl ciphers" output between "medium" and "fips". I'm not sure why "fips" is offered as a choice when there's no difference...

MHM Cisco World · ‎04-15-2024

Fips includes all FIPS-compliant ciphers, except NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa96/asdm76/vpn/asdm-76-vpn-config/vpn-asdm-ssl.html

MHM

robertramsey · ‎04-15-2024

Hello MHM,

That link also suggests that there's no difference between "medium" and "fips". Strange that Cisco included both options with the ciphers being the same...

Thanks!

Sheraz.Salim · ‎04-11-2024

It's interesting to note that the output of "show ssl ciphers" remains the same even after enabling FIPS. However, this doesn't necessarily mean that FIPS isn't being enforced. To verify whether only FIPS-supported ciphers are being used, you can analyze the handshake messages during SSL VPN connections to ensure that the negotiated cipher suites comply with FIPS standards.

please do not forget to rate.

Aref Alsouqi · ‎04-16-2024

FIPS 140-2 and 3 are just standards that require minimum ciphers to be enabled. I wouldn't be surprised if those ciphers match a template on the firewalls as shown in your case. However, please note that enabling FIPS doesn't only imply having the set of ciphers, instead it could part of the pre-reqs to be compliant for CC or UCAPL.

robertramsey · ‎04-16-2024

Hello Aref,

Thanks for your post. I naively assumed that enabling FIPS would ensure that the ASA would only use FIPS approved ciphers. My testing with "fips enable" and ssl cipher levels, low and medium, demonstrated that just enabling FIPS doesn't remove non-fips ciphers. Turns out, the ssl cipher levels include low, medium, fips, and high. So, whatever the fips global setting does, it isn't all inclusive.

Aref Alsouqi · ‎04-17-2024

Hi Robert,

Could you please try to run a scan on the firewall outside interface with FIPS enabled and check what the result would be? you can use SSL Server Test (Powered by Qualys SSL Labs) for that, it's free.

Sheraz.Salim · ‎04-17-2024

Hey @Aref Alsouqi I have found this Link it could be helpful for the Robert. But your provided link is also a good link too. Hope this provide link will be helpful.

please do not forget to rate.

robertramsey · ‎04-17-2024

Hello Aref,

That link is easily the best thing I've seen on the Internet in a long while. Wow! That's an awesome tool! Thanks!

Aref Alsouqi · ‎04-17-2024

You're very welcome Robert : - D.