moving from sha1 to sha2 for sslvpn

Hi -

I have asa-5550 running 8.4(7)26, it support SHA-2 256, 385 & 512K per release note;

Currenlty, we are using SHA-1 for sslvpn (client & clientless) and would like to migrate to SHA-2 certificate;

However, under Configuration --> Remote Access VPN --> Advanced --> SSL Seetings ... I dont see any SHA2 encryption algorithms.  All i see are ssl encryption aes256-sha1 aes128-sha1 3des-sha1....etcs

Question - how to enable sha2-256 encryption?

Any help is much appreciated, thanks

 

Comments

  • SHA is not an encryption algorithm, it is an integrity algorithm, just like MD5. It is for sure supported for IKEv2, in upcoming codes you should also see it for SSL.

  • jchanjchan ✭✭

    My bad, yes, it is an integrity algorithm, not a encryption algorithm. thanks for point it out.

    Googled it, 8.4.x seems to support sha-2 for ikev2 ipsec vpn, does anyone know asa 8.4.x support sha-2 for sslvpn?  

    [Updated]

    per below link, sha-2 for ssl was addedd sicne 8.4.1

    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/release/notes/asarn84.html

    SSL SHA-2 digital signature

    This release supports the use of SHA-2 compliant signature algorithms to authenticate SSL VPN connections that use digital certificates. Our support for SHA-2 includes all three hash sizes: SHA-256, SHA-384, and SHA-512. SHA-2 requires AnyConnect 2.5.1 or later (2.5.2 or later recommended). This release does not support SHA-2 for other uses or products. This feature does not involve configuration changes.

    Caution: To support failover of SHA-2 connections, the standby ASA must be running the same image. To support this feature, we added the Signature Algorithm field to the show crypto ca certificate command to identify the digest algorithm used when generating the signature.

    but back to my original question, how to enable it?  I couldn't find the commands.

    ah, it looks like i am answering my own question.  Per above table, it said, "This feature does not involve configuration changes."

     

  • If command is missing it means it is not supported.

    Sent from my iPhone

    On Apr 15, 2015, at 22:13, jchan <[email protected]> wrote:

    My bad, yes, it is an integrity algorithm, not a encryption algorithm. thanks for point it out.

    Googled it, 8.4.x seems to support sha-2 for ikev2 ipsec vpn, does anyone know asa 8.4.x support sha-2 for sslvpn?  

     




    INE - The Industry Leader in CCIE Preparation

    http://www.INE.com



    Subscription information may be found at:

    http://www.ieoc.com/forums/ForumSubscriptions.aspx
Sign In or Register to comment.