Solved: Does Cisco's ESA support TLS 1.3?

tenorabile · ‎12-17-2019

I haven't been able to find any details on when/how Cisco will support TLS 1.3 on the email security devices. Any links you can share?

Thank you,

Jason

Mathew Huynh · ‎12-20-2019

Hello all,

Please note timelines may change if circumstances come up to affect it, but at the moment of this email - it is on the product teams roadmap as an item for implementation - however there are no commit dates that can be provided at this stage.

Regards,

Mathew

View solution in original post

balaji.bandi · ‎12-17-2019

When i was looking for WSA/ESA , it was not supported and it was still in Draft, I have not checked recently 12.X might have support.

https://blogs.cisco.com/security/tls-version-1-3-change-is-here-and-encrypted-traffic-analytics-has-got-your-back

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

tenorabile · ‎12-17-2019

Thank you for the reply! I saw that article but it doesn’t give timetables for ESA support. We are at AsyncOS 12.5 now – perhaps 13 will support it.

Ken Stieers · ‎12-17-2019

WSA 12.x that is currently in beta does support TLS 1.3.

Ken Stieers · ‎12-17-2019

I'm in the beta for 13.5. It's not there yet...

marc.luescherFRE · ‎12-18-2019

and just checking traffic last 30 days, we got ) TLS v1.3 messages so far, guess we have a bot of time

Mathew Huynh · ‎12-20-2019

Hello all,

Please note timelines may change if circumstances come up to affect it, but at the moment of this email - it is on the product teams roadmap as an item for implementation - however there are no commit dates that can be provided at this stage.

Regards,

Mathew

pverberne · ‎03-28-2021

Hi Mathew,

The release notes of ESA 14 don´t show any information regarding TLSv1.3. Is support for TLSv1.3 pushed back to later versions of ESA?

Regards,

Paddy

lkgs · ‎05-22-2023

It is 2023, five years after the release of the standard, and a "security" appliance cannot do TLS 1.3. An indictment, no one has to wonder why such products are often called snake oil.

A growing number of mail servers only support TLS 1.3 for encryption, which with an ESA means that these connections are only established unencrypted, or not at all if enforced.

Our goal is to only accept encrypted SMTP connections, but with the ESA this seems utopian due to the lack of support for modern cryptography. You pay several thousand Euros a year for this product and in the end you have to put an open source system in front of it as a smarthost to be state of the art and therefore compatible to other organizations.

Mathew Huynh · ‎05-22-2023

Hello Ikgs,

I understand the sentiment, this has been a feature I've been advocating in terms of getting implemented into the environment as we want to continue to improve in the security space.

As at this moment, TLS1.3 is slated to be made available on our Cloud Secure Email Gateway (CES) environment first in the Cloud only release of 15.3 due later this year. The On-prem and Virtual ESA environments will see it in the following build there after.

In terms of exact time-lines, I am unable to share as different circumstances may arise with it, however its tentatively looking to be Q3 CY2023 (Subject to change if any critical concerns arise).

Thanks,

Mathew

svgeorgi · ‎05-04-2021

There is an enhancement request filed for TLSv1.3 here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf81830

Its status is still marked "Open" as of the current moment. Would suggest to subscribe for any changes regarding it.

pverberne · ‎05-04-2021

Thanks. I subscribed.

Do you happen to know where I can find additional information regarding a timeline for TLSv1.3? The release notes of AsyncOS 14 don't offer any clue. All that I found (using: https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa14-0/Open_Source_Used_in_AsyncOS_14-0_for_Cisco_Secure_Email_Gateway.pdf) is that this version ships with openssl 1.0.2r (as a maximum version) and that for TLSv1.3 to be supported a minumum version of 1.1.1 is needed.

svgeorgi · ‎05-04-2021

Unfortunately, cannot share any timelines or roadmaps for future releases of AsyncOS.

SaschaHoppe0579 · ‎08-02-2021

It's mid year 2021 and still no TLS 1.3 support? no date? no plans? really?

Mathew Huynh · ‎08-02-2021

Hello Sascha,

I don't have an available date to share at this stage - however I can see internally it is on the roadmap for implementation. Once we have confirmation of a commit date; I will strive to share more details. At the moment it is on the agenda just cannot share when at this point.

Thank you,

Mathew