一个ASA SSL*** 算法匹配问题的troubleshooting51CTO博客 - 千亿集团

一个ASA SSL*** 算法匹配问题的troubleshooting51CTO博客

2019年03月01日12时15分13秒 | 作者: 鸿禧 | 标签: 算法,设备,开端 | 浏览: 1791

 今日为一个客户调试一台ASA5520,基本功用都做完了,最终客户提出想建个***远程管理其内网设备。哈哈,小KISS,眼看天色已晚,本想图个省劲给他引荐了anyconnect,几条指令完事,成果事没省成,费事来了。。。。

把地球人都知道的那几条指令敲上去,把笔记本联到外网,翻开IE输入地址,居然。。。。没反应,汗!赶忙查看装备,没错啊;443端口,通的;版别,8.2没错;见鬼!

没办法,静下心来,开端debug。。。。

为简略起见,只抓取ssl***的debug到本地buffer

logging list buffer_debug level debugging class ssl    //界说logging列表

logging buffered buffer_debug   //敞开buffer日志

logging buffer-size 40960       //增大点buffer空间

logging enable                  //大局开端日志功用

debug ssl 255                   //敞开第一流其他SSL调试

从头再联一次,回到设备上调出日志

show logging

Syslog logging: enabled
    Facility: 20
    Timestamp logging: disabled
    Standby logging: disabled
    Debug-trace logging: disabled
    Console logging: disabled
    Monitor logging: disabled
    Buffer logging: list buffer_debug, 125 messages logged
    Trap logging: disabled
    History logging: disabled
    Device ID: disabled
    Mail logging: disabled
    ASDM logging: level informational, 776 messages logged
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51218 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51218 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher
%ASA-6-725001: Starting SSL handshake with client Internet:221.223.233.187/51219 for TLSv1 session.
%ASA-7-725010: Device supports the following 1 cipher(s).
%ASA-7-725011: Cipher[1] : DES-CBC-SHA
%ASA-7-725008: SSL client Internet:221.223.233.187/51219 proposes the following 8 cipher(s).
%ASA-7-725011: Cipher[1] : AES128-SHA
%ASA-7-725011: Cipher[2] : AES256-SHA
%ASA-7-725011: Cipher[3] : RC4-SHA
%ASA-7-725011: Cipher[4] : DES-CBC3-SHA
%ASA-7-725011: Cipher[5] : DHE-DSS-AES128-SHA
%ASA-7-725011: Cipher[6] : DHE-DSS-AES256-SHA
%ASA-7-725011: Cipher[7] : EDH-DSS-DES-CBC3-SHA
%ASA-7-725011: Cipher[8] : RC4-MD5
%ASA-7-725014: SSL lib error. Function: SSL3_GET_CLIENT_HELLO Reason: no shared cipher

我们看看杰出部分就知道了,几乎要昏倒,这是哪家署理供的货啊,坑爹啊!

设备居然默许只提供了一套加密/验证算法,仍是最不靠谱的那种DES/SHA,我的win7/IE8试了8套算法也没匹配上,能连通才见鬼呢!

再次承认下

show ssl

Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
    Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
    Enabled cipher order: des-sha1
    Disabled ciphers: 3des-sha1 rc4-md5 rc4-sha1 aes128-sha1 aes256-sha1 null-sha1
    No SSL trust-points configured
Certificate authentication is not enabled

 

已然找到问题就好办,开端处理。很简略,给设备多上几套算法呗

ssl encryption aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1

承认下

 sh ssl
     Accept connections using SSLv2, SSLv3 or TLSv1 and negotiate to SSLv3 or TLSv1
     Start connections using SSLv3 and negotiate to SSLv3 or TLSv1
     Enabled cipher order: aes128-sha1 aes256-sha1 3des-sha1 rc4-sha1
     Disabled ciphers: des-sha1 rc4-md5 null-sha1
     No SSL trust-points configured
     Certificate authentication is not enabled

再次联一下,呵呵,通了,搞定收工!

 

 

 

 

版权声明
本文来源于网络,版权归原作者所有,其内容与观点不代表千亿集团立场。转载文章仅为传播更有价值的信息,如采编人员采编有误或者版权原因,请与我们联系,我们核实后立即修改或删除。

猜您喜欢的文章