Guest

Preview Tool

Cisco Bug: CSCvt99368 - Removal of weak TLS/DTLS cipher suites & IKEv2/IPSec algorithms from Anyconnect client

Last Modified

Sep 11, 2020

Products (1)

  • Cisco AnyConnect Secure Mobility Client

Known Affected Releases

4.7(4056) 4.8(3036) 4.9(0)

Description (partial)

Symptom:
Some TLS/DTLS cipher suites and IKEv2/IPsec crypto algorithms are no longer allowed per the Cisco Product Security Baseline (PSB). AnyConnect sends a hard-coded list of cipher suites for VPN session negotiation.  Since there is no way for the end user to alter this list the weak cipher suites and algorithms must be removed.

For TLS and DTLS: 
    DHE-RSA-AES256-SHA and DES-CBC3-SHA
For IKEv2/IPsec:
    Encryption algorithms: DES and 3DES
    Pseudo Random Function (PRF) algorithm: MD5
    Integrity algorithm: MD5
    Diffie-Hellman (DH) groups: 2, 5, 14, 24

Conditions:
Weak TLS/DTLS cipher suites and IKEv2/IPsec crypto algorithms are still supported on pre-4.9 AC packages.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.