09-29-2022 02:06 AM
Hello all,
We have to comply to the standards of internet.nl and have to configure ESA for this. (More information about internet.nl see this post: https://community.cisco.com/t5/email-security/esa-internet-nl-cipher-string/td-p/4540206).
At the moment we have configured the cipers as follows:
inbound: AES128:AES256:!SRP:!AESGCM+DH+aRSA:!aNULL:!kRSA:@STRENGTH:-aNULL:-EXPORT:-IDEA:!DH
outbound: AES128:AES256:!SRP:!AESGCM+DH+aRSA:!aNULL:!kRSA:@STRENGTH:-aNULL:-EXPORT:-IDEA
The difference between both is that for outbound we need more ciphers for the communication between the Cisco-systems. When we use "!DH" with the outbound-ciphers, communication between systems is not functioning.
To my question: we have to re-configure the ciphers, because the current configuration is too strict. I have to add more ciphers. I have figured out which string we have to use:
inbound: AES128:AES256:!SRP:!SSLv3:!aNULL:!kRSA:@STRENGTH:-EXPORT:-IDEA
outbound:AES128:AES256:!SRP:!SSLv3:!aNULL:!kRSA:@STRENGTH:-EXPORT:-IDEA:!DSS
As you see, I have excluded SSLv3-ciphers, because for the mail-communication we only use TLSv1.2. With the new configuration we have some additional ciphers that can be used, but I am not sure I this breaks something in the communication between the Cisco-systems. Does anyone of you know if the SSLv3 are necessary?
Kind regards,
Arjan
09-29-2022 06:52 AM
10-04-2022 05:20 AM
Hi Ken,
Thanks for your reply. The SSLv3 ciphers are in use rigth now, it is correct that you see this when you verify the string. I'm trying to figure out if this is necesarry. Otherwise I want to exclude this ciphers.
With the current string we only have ECDHE-ciphers, but we see that some connections are not accepted because of the other side is using DH-ciphers. With the new string we add some off the DH-ciphers.
10-04-2022 06:27 AM
10-06-2022 06:56 AM
Actually, I don't want to use the SSLv3 ciphers for the mail communication. But when the ESA were configured for us, there was an issue with communication between the Cisco ESA en SMA. The ciphers were configured as they are now. So I don't now if SSLv3 is mandatory for the Cisco-communication.
10-03-2022 05:58 AM
Arjan, for a customer of ours we have a 100% score on internet.nl. We use the following Ciphers settings for them:
Inbound SMTP:
Methods: TLS v1.2
SSL Cipher(s) to use: ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256@STRENGTH:-aNULL:-EXPORT:-IDEA
TLS Renegotiation: Disabled
Outbound SMTP:
Methods: TLS v1.2
SSL Cipher(s) to use: HIGH:-SSLv2:-aNULL:!RC4:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-AES256-GCM-SHA384:-AES256-SHA256:-AES256-SHA:-EXPORT:-IDEA
10-04-2022 05:22 AM
Hello Henk,
Thanks for your reply. Right now we only have ECDHE-ciphers and a score of 100% of internet.nl. The 'problem' is that not all connections are accepted, because of the other side is using DH-ciphers.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide