Skip to content

ASAv のバージョン毎の ssl server-version デフォルト値

Cisco Community に ASA 9.3(2)以降: TLS 1.2のサポートについて という記事があり、以下のように記載されています。

ASA バージョン 9.2以下での TLS 1.2のサポート予定は、2015年6月現在 ありません。TLS 1.2のサポートには 大きな機能拡張が必要であり、影響が大きいためです。

ASA 9.3(2) 以降は TLS 1.2 をサポートしているようですが、OS バージョンによってデフォルト値は異なるようです。 今回はいくつかのバージョンの ASAv インスタンスを作成し、ssl server-version のデフォルト値を確認してみました。

デフォルト値の比較

バージョンの異なる ASAv で確認したところ、以下の結果になりました。

バージョン ssl server-version デフォルト設定
9.16(2) ssl server-version tlsv1 dtlsv1
9.18(2) ssl server-version tlsv1.2 dtlsv1.2
9.20(2) ssl server-version tlsv1.2 dtlsv1.2

9.16(2) のデフォルト値は上記の通り、tlsv1 なのですが設定で tlsv1.1tlsv1.2 を選択することは可能でした。

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
ASA-9-16-2(config)# show running-config all | include ssl server-version
ssl server-version tlsv1 dtlsv1
ASA-9-16-2(config)# ssl server-version ?

configure mode commands/options:
  tlsv1    Enter this keyword to accept SSLv2 ClientHellos and negotiate TLSv1
           (or greater)
  tlsv1.1  Enter this keyword to accept SSLv2 ClientHellos and negotiate
           TLSv1.1 (or greater)
  tlsv1.2  Enter this keyword to accept SSLv2 ClientHellos and negotiate
           TLSv1.2 (or greater)

デフォルトの show コマンド出力結果

以下はデフォルト状態での show コマンド出力結果です。

show ssl

9.16(2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1 or greater
Start connections using TLSv1 and negotiate to TLSv1 or greater
SSL DH Group: group14 (2048-bit modulus, FIPS)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
  Self-signed (RSA 2048 bits RSA-SHA256) certificate available
  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Certificate authentication is not enabled

9.18(2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# show ssl
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group14 (2048-bit modulus, FIPS)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
  Self-signed (RSA 2048 bits RSA-SHA256) certificate available
  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Certificate authentication is not enabled

9.20.2

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
# show ssl 
Accept connections using SSLv3 or greater and negotiate to TLSv1.2 or greater
Start connections using TLSv1.2 and negotiate to TLSv1.2 or greater
SSL DH Group: group14 (2048-bit modulus, FIPS)
SSL ECDH Group: group19 (256-bit EC)

SSL trust-points:
  Self-signed (RSA 2048 bits RSA-SHA256) certificate available
  Self-signed (EC 256 bits ecdsa-with-SHA256) certificate available
Certificate authentication is not enabled

show ssl information

9.16(2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# show ssl information 

Default setting without 3des or higher cipher support:
  ssl server-version tlsv1 dtlsv1
  ssl client-version tlsv1
  ssl cipher default low
  ssl cipher tlsv1 low
  ssl cipher tlsv1.1 low
  ssl cipher tlsv1.2 low
  ssl cipher dtlsv1 low
  ssl cipher dtlsv1.2 low
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Default setting with 3des or higher cipher support:
  ssl server-version tlsv1 dtlsv1
  ssl client-version tlsv1
  ssl cipher default medium
  ssl cipher tlsv1 medium
  ssl cipher tlsv1.1 medium
  ssl cipher tlsv1.2 medium
  ssl cipher dtlsv1 medium
  ssl cipher dtlsv1.2 medium
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Display all of the cipher capabilities:
  CIPHER([VERSIONS], CIPHER_LEVEL, FIPS_COMPLIANCE)
  ECDHE-ECDSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-ECDSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DES-CBC3-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], low, not fips)
  DES-CBC-SHA ([tlsv1], low, not fips)

9.18(2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
# show ssl information 

Default setting without 3des or higher cipher support:
  ssl server-version tlsv1.2 dtlsv1.2
  ssl client-version tlsv1.2
  ssl cipher default low
  ssl cipher tlsv1 low
  ssl cipher tlsv1.1 low
  ssl cipher tlsv1.2 low
  ssl cipher dtlsv1 low
  ssl cipher dtlsv1.2 low
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Default setting with 3des or higher cipher support:
  ssl server-version tlsv1.2 dtlsv1.2
  ssl client-version tlsv1.2
  ssl cipher default medium
  ssl cipher tlsv1 medium
  ssl cipher tlsv1.1 medium
  ssl cipher tlsv1.2 medium
  ssl cipher dtlsv1 medium
  ssl cipher dtlsv1.2 medium
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Display all of the cipher capabilities:
  CIPHER([VERSIONS], CIPHER_LEVEL, FIPS_COMPLIANCE)
  ECDHE-ECDSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-ECDSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], low, fips)
  AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DES-CBC3-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], low, not fips)
  DES-CBC-SHA ([tlsv1], low, not fips)

9.20(2)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# show ssl information 

Default setting without 3des or higher cipher support:
  ssl server-version tlsv1.2 dtlsv1.2
  ssl client-version tlsv1.2
  ssl server-max-version tlsv1.3
  ssl server-max-version tlsv1.3
  ssl cipher default low
  ssl cipher tlsv1 low
  ssl cipher tlsv1.1 low
  ssl cipher tlsv1.2 low
  ssl cipher tlsv1.3 low
  ssl cipher dtlsv1 low
  ssl cipher dtlsv1.2 low
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Default setting with 3des or higher cipher support:
  ssl server-version tlsv1.2 dtlsv1.2
  ssl client-version tlsv1.2
  ssl server-max-version tlsv1.3
  ssl server-max-version tlsv1.3
  ssl cipher default medium
  ssl cipher tlsv1 medium
  ssl cipher tlsv1.1 medium
  ssl cipher tlsv1.2 medium
  ssl cipher tlsv1.3 medium
  ssl cipher dtlsv1 medium
  ssl cipher dtlsv1.2 medium
  ssl dh-group group14
  ssl ecdh-group group19
  ssl certificate-authentication fca-timeout 2

Display all of the cipher capabilities:
  CIPHER([VERSIONS], CIPHER_LEVEL, FIPS_COMPLIANCE)
  TLS_AES_128_GCM_SHA256 ([tlsv1.3], high, fips)
  TLS_CHACHA20_POLY1305_SHA256 ([tlsv1.3], high, not fips)
  TLS_AES_256_GCM_SHA384 ([tlsv1.3], high, fips)
  ECDHE-ECDSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-GCM-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-RSA-AES256-SHA384 ([tlsv1.2, dtlsv1.2], high, fips)
  DHE-RSA-AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  AES256-SHA256 ([tlsv1.2, dtlsv1.2], high, fips)
  ECDHE-ECDSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-GCM-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-ECDSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  ECDHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA256 ([tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], low, fips)
  AES256-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DHE-RSA-AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  AES128-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], medium, fips)
  DES-CBC3-SHA ([tlsv1, tlsv1.1, dtlsv1, tlsv1.2, dtlsv1.2], low, not fips)
  DES-CBC-SHA ([tlsv1], low, not fips)