Updating your ASA's Cipher Suite

To update the TLS cipher suites on an ASA:

Procedure

Step 1

Connect to the ASA using SSH.

Step 2

Once connected to the ASA, elevate your privileges to global configuration mode. Your prompt should look like this: asaname(config)#

Step 3

At the prompt, enter a command similar to this:

ssl cipher tlsv1.2 custom "ECDHE-RSA-AES128-GCM-SHA256 ECDHE-ECDSA-AES128-GCM-SHA256 ECDHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-GCM-SHA384 DHE-RSA-AES128-GCM-SHA256 ECDHE-RSA-AES128-SHA256 DHE-RSA-AES128-SHA256 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA384 ECDHE-RSA-AES256-SHA256 DHE-RSA-AES256-SHA256"

Note

The cipher suites this command configures your ASA to support are contained between quotes and after the word custom. In this command, the cipher suites specified begin with ECDHE-RSA-AES128-GCM-SHA256 and end with DHE-RSA-AES256-SHA256. When you enter the command on your ASA, remove any cipher suites you know your ASA will not support.

Step 4

After you submit the command, enter write memory at the prompt to save the local configuration. For example: asaname(config)#write memory