ASA v9.4 Elliptic Curve Cryptography with TLS1.2

With ASA version 9.4 Cisco has added support for Elliptic curve cryptography (ECC), which is one of the most powerful types of encryption in use today. While ECC has been in use since 2004, only it’s recently use has skyrocketed. Part of this reason is power consumption… In my limited understanding, experts have concluded that a shorter ECC keys are just as strong as a much larger RSA key. This increases performance significantly, which reduces the power required for each calculation. If you want to learn more about ECC, check out this fantastic article from arstechnica.

That brings me to the issue. Last night I failed over some 5585x’s running > 9.4 that happened to be doing Anyconnect SSL VPN. This morning, my client was seeing issues. Luckily the solution was simple and a college pointed me to the solution fairly quickly. From the Cisco support community page I found later on….

For version 9.4.(x) we have the following information:

Elliptic curve cryptography for SSL/TLS—When an elliptic curve-capable SSL VPN client connects to the ASA, the elliptic curve cipher suite will be negotiated, and the ASA will present the SSL VPN client with an elliptic curve certificate, even when the corresponding interface has been configured with an RSA-based trustpoint. To avoid having the ASA present a self-signed SSL certificate, the administrator needs to remove the corresponding cipher suites using the ssl cipher command. For example, for an interface configured with an RSA trustpoint, the administrator can execute the following command so that only RSA based ciphers are negotiated:

ssl cipher tlsv1.2 custom “AES256-SHA:AES128-SHA:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:DES-CBC3-SHA:DES-CBC-SHA:RC4-SHA:RC4-MD5”

Also see the ASA 9.4 Release Notes, which include a quick blurb on the issue…