About SSL Settings

The Firepower Threat Defense device uses the Secure Sockets Layer (SSL) protocol and Transport Layer Security (TLS) to support secure message transmission for Remote Access VPN connection from remote clients. The SSL Settings window lets you configure SSL versions and encryption algorithms that will be negotiated and used for message transmission during remote VPN access over SSL.

Configure the SSL Settings at the following location:

Devices > Platform Settings > SSL

Fields

Minimum SSL Version as Server—Specify the minimum SSL/TLS protocol version that the FTD device uses when acting as a server. For example, when it functions as a Remote Access VPN Gateway.

TLS Version—Select one of the following TLS versions from the drop-down list:

TLS V1

Accepts SSLv2 client hellos and negotiates TLSv1 (or greater).

TLSV1.1

Accepts SSLv2 client hellos and negotiates TLSv1.1 (or greater).

TLSV1.2

Accepts SSLv2 client hellos and negotiates TLSv1.2 (or greater).

DTLS Version—Select the DTLS versions from the drop-down list, based on the selected TLS version. By default, DTLSv1 is configured on FTD devices, you can choose the DTLS version as per your requirement.

Note

Ensure that the TLS protocol version is higher than or equal to the DTLS protocol version selected. TLS protocol versions support the following DTLS versions:

TLS V1

DTLSv1

TLSV1.1

DTLSv1

TLSV1.2

DTLSv1, DTLSv1.2

Diffie-Hellman Group—Choose a group from the drop-down list. Available options are Group1 - 768-bit modulus, Group2 - 1024-bit modulus, Group5 - 1536-bit modulus, Group14 - 2048-bit modulus, 224-bit prime order, and Group24 - 2048-bit modulus, 256-bit prime order. The default is Group1.

Elliptical Curve Diffie-Hellman Group—Choose a group from the drop-down list. Available options are Group19 - 256-bit EC, Group20 - 384-bit EC, and Group21 - 521-bit EC. The default value is Group19.

TLSv1.2 adds support for the following ciphers:

  • ECDHE-ECDSA-AES256-GCM-SHA384

  • ECDHE-RSA-AES256-GCM-SHA384

  • DHE-RSA-AES256-GCM-SHA384

  • AES256-GCM-SHA384

  • ECDHE-ECDSA-AES256-SHA384

  • ECDHE-RSA-AES256-SHA384

  • ECDHE-ECDSA-AES128-GCM-SHA256

  • ECDHE-RSA-AES128-GCM-SHA256

  • DHE-RSA-AES128-GCM-SHA256

  • RSA-AES128-GCM-SHA256

  • ECDHE-ECDSA-AES128-SHA256

  • ECDHE-RSA-AES128-SHA256

    Note
    ECDSA and DHE ciphers are the highest priority.
The SSL configuration table can be used to specify the protocol version, security level, and Cipher algorithms that you want to support on the Firepower Threat Defense devices.

Protocol Version—Lists the protocol version that the Firepower Threat Defense device supports and uses for SSL connections. Available protocol versions are:

  • Default

  • TLSV1

  • TLSV1.1

  • TLSV1.2

  • DTLSv1

  • DTLSv1.2

Security Level—Lists the cipher security levels that Firepower Threat Defense device supports and uses for SSL connections.

If you have Firepower Threat Defense devices with evaluation license, the security level is Low by default. With Firepower Threat Defense smart license, the default security level is High. You can choose one of the following options to configure the required security level:

  • All includes all ciphers, including NULL-SHA.

  • Low includes all ciphers, except NULL-SHA.

  • Medium includes all ciphers, except NULL-SHA, DES-CBC-SHA, RC4-SHA, and RC4-MD5 (this is the default).

  • Fips includes all FIPS-compliant ciphers, except NULL-SHA, DES-CBC-SHA, RC4-MD5, RC4-SHA, and DES-CBC3-SHA.

  • High includes only AES-256 with SHA-2 ciphers and applies to TLS version 1.2 and the default version.

  • Custom includes one or more ciphers that you specify in the Cipher algorithms/custom string box. This option provides you with full control of the cipher suite using OpenSSL cipher definition strings.

Cipher Algorithms/Custom String—Lists the cipher algorithms that Firepower Threat Defense device supports and uses for SSL connections. For more information about ciphers using OpenSSL, see https://www.openssl.org/docs/apps/ciphers.html

The Firepower Threat Defense device specifies the order of priority for supported ciphers as:

Ciphers supported by TLSv1.2 only

ECDHE-ECDSA-AES256-GCM-SHA384

ECDHE-RSA-AES256-GCM-SHA384

DHE-RSA-AES256-GCM-SHA384

AES256-GCM-SHA384

ECDHE-ECDSA-AES256-SHA384

ECDHE-RSA-AES256-SHA384

DHE-RSA-AES256-SHA256

AES256-SHA256

ECDHE-ECDSA-AES128-GCM-SHA256

ECDHE-RSA-AES128-GCM-SHA256

DHE-RSA-AES128-GCM-SHA256

AES128-GCM-SHA256

ECDHE-ECDSA-AES128-SHA256

ECDHE-RSA-AES128-SHA256

DHE-RSA-AES128-SHA256

AES128-SHA256

Ciphers not supported by TLSv1.1 or TLSv1.2

RC4-SHA

RC4-MD5

DES-CBC-SHA

NULL-SHA