Guest

Preview Tool

Cisco Bug: CSCvv67721 - When using cut-through proxy, ECDHE ciphers do not get selected in SSL handshake

Last Modified

Sep 30, 2020

Products (1)

  • Cisco ASA 5500-X Series Firewalls

Known Affected Releases

9.8(4.25)

Description (partial)

Symptom:
ASA is configured as Cut-Through Proxy and during SSL handshake it does not select ECDHE ciphers even if offered by client.

Below ciphers are configured.

sh run ssl
ssl server-version tlsv1.2
ssl cipher default custom "ECDHE-ECDSA-AES256-SHA384"
ssl cipher tlsv1 custom "ECDHE-ECDSA-AES256-SHA384:AES256-SHA"
ssl cipher tlsv1.1 low
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-SHA384"
ssl cipher dtlsv1 custom "ECDHE-ECDSA-AES256-SHA384:AES256-SHA"
ssl dh-group group24

Conditions:
ASA configured for Cut-through proxy.
Bug details contain sensitive information and therefore require a Cisco.com account to be viewed.

Bug Details Include

  • Full Description (including symptoms, conditions and workarounds)
  • Status
  • Severity
  • Known Fixed Releases
  • Related Community Discussions
  • Number of Related Support Cases
Bug information is viewable for customers and partners who have a service contract. Registered users can view up to 200 bugs per month without a service contract.