TLS 1.2 ASDM werkt niet meer

Na inschakelen van TLS 1.2 is het niet meer mogelijk om met de ASDM naar de ASA te verbinden. SSH blijft gewoon werken.

in de logging van de firewall is het volgende te zien:

%ASA-7-725010: Device supports the following 8 cipher(s)
%ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES256-GCM-SHA384
%ASA-7-725011: Cipher[2] : ECDHE-RSA-AES256-GCM-SHA384
%ASA-7-725011: Cipher[3] : DHE-RSA-AES256-GCM-SHA384
%ASA-7-725011: Cipher[4] : AES256-GCM-SHA384
%ASA-7-725011: Cipher[5] : ECDHE-ECDSA-AES256-SHA384
%ASA-7-725011: Cipher[6] : ECDHE-RSA-AES256-SHA384
%ASA-7-725011: Cipher[7] : DHE-RSA-AES256-SHA256
%ASA-7-725011: Cipher[8] : AES256-SHA256
%ASA-7-725008: SSL client inside:IP:X.X.X.X/61844 to IP:X.X.X.X/443 proposes the following 20 cipher(s)
%ASA-7-725011: Cipher[1] : ECDHE-ECDSA-AES128-SHA256
%ASA-7-725011: Cipher[2] : ECDHE-RSA-AES128-SHA256
%ASA-7-725011: Cipher[3] : AES128-SHA256
%ASA-7-725011: Cipher[4] : DHE-RSA-AES128-SHA256
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA256
%ASA-7-725011: Cipher[6] : ECDHE-ECDSA-AES128-SHA
%ASA-7-725011: Cipher[7] : ECDHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[8] : AES128-SHA
%ASA-7-725011: Cipher[9] : DHE-RSA-AES128-SHA
%ASA-7-725011: Cipher[10] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[11] : ECDHE-ECDSA-AES128-GCM-SHA256
%ASA-7-725011: Cipher[12] : ECDHE-RSA-AES128-GCM-SHA256
%ASA-7-725011: Cipher[13] : AES128-GCM-SHA256
%ASA-7-725011: Cipher[14] : DHE-RSA-AES128-GCM-SHA256
%ASA-7-725011: Cipher[15] : DHE-DSS-AES128-GCM-SHA256
%ASA-7-725011: Cipher[16] : ECDHE-ECDSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[17] : ECDHE-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[18] : DES-CBC3-SHA
%ASA-7-725011: Cipher[19] : EDH-RSA-DES-CBC3-SHA
%ASA-7-725011: Cipher[20] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-302014: Teardown TCP connection 20235300 for inside:IP:X.X.X.X/61844 to identity:IP:X.X.X.X/443 duration 0:00:00 bytes 7 TCP Reset-I

Dit wordt veroorzaakt doordat Java de AES256-SHA256 standaard niet kan ondersteunen.

Door het downloaden en installeren van de Java Cryptographic Extensions (JCE) lukt het wel om verbinding met de ASDM te maken.

Deze download je op de volgende locatie:

http://www.oracle.com/technetwork/java/javase/downloads/jce8-download-2133166.html

Deze zipfile pak je uit.

In de map "C:\Program Files (x86)\Java\jre1.8.0_111\lib\security" rename je de 2 bestanden local_policy.jar en US_export_policy.jar. Hierna kopieer je de nieuwe versie naar deze locatie.

Hierna werkt de ASDM :

%ASA-7-725012: Device chooses cipher ECDHE-RSA-AES256-GCM-SHA384 for the SSL session with client

 

Path op OSX: /Library/Internet Plug-Ins/JavaAppletPlugin.plugin/Contents/Home/lib/security

Previous page: Cisco Firewall Next page: VMWare