cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12968
Views
29
Helpful
22
Replies

Does Cisco's ESA support TLS 1.3?

tenorabile
Level 1
Level 1

I haven't been able to find any details on when/how Cisco will support TLS 1.3 on the email security devices. Any links you can share?

 

Thank you,

Jason

1 Accepted Solution

Accepted Solutions

Mathew Huynh
Cisco Employee
Cisco Employee

Hello all,

Please note timelines may change if circumstances come up to affect it, but at the moment of this email - it is on the product teams roadmap as an item for implementation - however there are no commit dates that can be provided at this stage.

 

Regards,

Mathew

View solution in original post

22 Replies 22

balaji.bandi
Hall of Fame
Hall of Fame

When i was looking for WSA/ESA , it was not supported and it was still in Draft, I have not checked recently 12.X might have support.

 

https://blogs.cisco.com/security/tls-version-1-3-change-is-here-and-encrypted-traffic-analytics-has-got-your-back

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you for the reply! I saw that article but it doesn’t give timetables for ESA support. We are at AsyncOS 12.5 now – perhaps 13 will support it.


WSA 12.x that is currently in beta does support TLS 1.3.

I'm in the beta for 13.5. It's not there yet...

and just checking traffic last 30 days, we got ) TLS v1.3 messages so far, guess we have a bot of time

Mathew Huynh
Cisco Employee
Cisco Employee

Hello all,

Please note timelines may change if circumstances come up to affect it, but at the moment of this email - it is on the product teams roadmap as an item for implementation - however there are no commit dates that can be provided at this stage.

 

Regards,

Mathew

Hi Mathew,

 

The release notes of ESA 14 don´t show any information regarding TLSv1.3. Is support for TLSv1.3 pushed back to later versions of ESA?

 

Regards,

Paddy

It is 2023, five years after the release of the standard, and a "security" appliance cannot do TLS 1.3. An indictment, no one has to wonder why such products are often called snake oil.

A growing number of mail servers only support TLS 1.3 for encryption, which with an ESA means that these connections are only established unencrypted, or not at all if enforced.

Our goal is to only accept encrypted SMTP connections, but with the ESA this seems utopian due to the lack of support for modern cryptography. You pay several thousand Euros a year for this product and in the end you have to put an open source system in front of it as a smarthost to be state of the art and therefore compatible to other organizations.

Hello Ikgs,

I understand the sentiment, this has been a feature I've been advocating in terms of getting implemented into the environment as we want to continue to improve in the security space.

As at this moment, TLS1.3 is slated to be made available on our Cloud Secure Email Gateway (CES) environment first in the Cloud only release of 15.3 due later this year. The On-prem and Virtual ESA environments will see it in the following build there after.

In terms of exact time-lines, I am unable to share as different circumstances may arise with it, however its tentatively looking to be Q3 CY2023 (Subject to change if any critical concerns arise).

 

Thanks,

Mathew

svgeorgi
Cisco Employee
Cisco Employee

There is an enhancement request filed for TLSv1.3 here:

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvf81830

Its status is still marked "Open" as of the current moment. Would suggest to subscribe for any changes regarding it.

Thanks. I subscribed.

 

Do you happen to know where I can find additional information regarding a timeline for TLSv1.3? The release notes of AsyncOS 14 don't offer any clue. All that I found (using: https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa14-0/Open_Source_Used_in_AsyncOS_14-0_for_Cisco_Secure_Email_Gateway.pdf) is that this version ships with openssl 1.0.2r (as a maximum version) and that for TLSv1.3 to be supported a minumum version of 1.1.1 is needed.

svgeorgi
Cisco Employee
Cisco Employee

Unfortunately, cannot share any timelines or roadmaps for future releases of AsyncOS.

It's mid year 2021 and still no TLS 1.3 support? no date? no plans? really?

Hello Sascha,

 

I don't have an available date to share at this stage - however I can see internally it is on the roadmap for implementation. Once we have confirmation of a commit date; I will strive to share more details. At the moment it is on the agenda just cannot share when at this point.

 

Thank you,

Mathew