Cisco Bug: CSCvt99368 - Removal of weak TLS/DTLS cipher suites & IKEv2/IPSec algorithms from Anyconnect client
Sep 11, 2020
- Cisco AnyConnect Secure Mobility Client
Known Affected Releases
4.7(4056) 4.8(3036) 4.9(0)
Symptom: Some TLS/DTLS cipher suites and IKEv2/IPsec crypto algorithms are no longer allowed per the Cisco Product Security Baseline (PSB). AnyConnect sends a hard-coded list of cipher suites for VPN session negotiation. Since there is no way for the end user to alter this list the weak cipher suites and algorithms must be removed. For TLS and DTLS: DHE-RSA-AES256-SHA and DES-CBC3-SHA For IKEv2/IPsec: Encryption algorithms: DES and 3DES Pseudo Random Function (PRF) algorithm: MD5 Integrity algorithm: MD5 Diffie-Hellman (DH) groups: 2, 5, 14, 24 Conditions: Weak TLS/DTLS cipher suites and IKEv2/IPsec crypto algorithms are still supported on pre-4.9 AC packages.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.
Bug Details Include
- Full Description (including symptoms, conditions and workarounds)
- Known Fixed Releases
- Related Community Discussions
- Number of Related Support Cases