一个ASA SSL××× 算法匹配问题的troubleshooting

今天为一个客户调试一台ASA5520，基本功能都做完了，最后客户提出想建个×××远程管理其内网设备。哈哈，小KISS，眼看天色已晚，本想图个省事给他推荐了anyconnect，几条命令完事，结果事没省

.

 今天为一个客户调试一台ASA5520，基本功能都做完了，最后客户提出想建个×××远程管理其内网设备。哈哈，小KISS，眼看天色已晚，本想图个省事给他推荐了anyconnect，几条命令完事，结果事没省成，麻烦来了。。。。

把地球人都知道的那几条命令敲上去，把笔记本联到外网，打开IE输入地址，竟然。。。。没反应，汗！赶紧检查配置，没错啊；443端口，通的；版本，8.2没错；见鬼！

没办法，静下心来，开始debug。。。。

为简单起见，只抓取ssl***的debug到本地buffer

logging list buffer_debug level debugging class ssl    //定义logging列表

logging buffered buffer_debug   //开启buffer日志

logging buffer-size 40960       //增大点buffer空间

logging enable                  //全局开始日志功能

debug ssl 255                   //开启最高级别的SSL调试

重新再联一次，回到设备上调出日志

show logging

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: list buffer_debug, 125 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 776 messages logged
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51218 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51218 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51219 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51219 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

大家看看突出部分就知道了，简直要昏倒，这是哪家代理供的货啊，坑爹啊！

设备竟然默认只提供了一套加密/验证算法，还是最不靠谱的那种DES/SHA，我的win7/IE8试了8套算法也没匹配上，能连通才见鬼呢！

再次确认下

show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
    Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
    Enabled cipher order: des-sha1
    Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
    No SSL trust-points configured
Certificate authentication is not enabled

 

既然找到问题就好办，开始解决。很简单，给设备多上几套算法呗

ssl encryption aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1

确认下

 sh ssl
     Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
     Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
     Enabled cipher order: aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1
     Disabled ciphers: des-sha1 rc4-md5 null-sha1
     No SSL trust-points configured
     Certificate authentication is not enabled

再次联一下，呵呵，通了，搞定收工！

 

 

 

 

.