ESA ciphers and SSLv3

ArjanBroekhuizen · ‎09-29-2022

Hello all,

We have to comply to the standards of internet.nl and have to configure ESA for this. (More information about internet.nl see this post: https://community.cisco.com/t5/email-security/esa-internet-nl-cipher-string/td-p/4540206).

At the moment we have configured the cipers as follows:
inbound: AES128:AES256:!SRP:!AESGCM+DH+aRSA:!aNULL:!kRSA:@STRENGTH:-aNULL:-EXPORT:-IDEA:!DH
outbound: AES128:AES256:!SRP:!AESGCM+DH+aRSA:!aNULL:!kRSA:@STRENGTH:-aNULL:-EXPORT:-IDEA

The difference between both is that for outbound we need more ciphers for the communication between the Cisco-systems. When we use "!DH" with the outbound-ciphers, communication between systems is not functioning.

To my question: we have to re-configure the ciphers, because the current configuration is too strict. I have to add more ciphers. I have figured out which string we have to use:
inbound: AES128:AES256:!SRP:!SSLv3:!aNULL:!kRSA:@STRENGTH:-EXPORT:-IDEA
outbound:AES128:AES256:!SRP:!SSLv3:!aNULL:!kRSA:@STRENGTH:-EXPORT:-IDEA:!DSS

As you see, I have excluded SSLv3-ciphers, because for the mail-communication we only use TLSv1.2. With the new configuration we have some additional ciphers that can be used, but I am not sure I this breaks something in the communication between the Cisco-systems. Does anyone of you know if the SSLv3 are necessary?

Kind regards,
Arjan

Ken Stieers · ‎09-29-2022

If you want to see what ciphers your box is using based on that string, go to the CLI, enter sslconfig, enter verify, paste in your string.
If you're asking if you're required to add !SSLv3, based on what I'm seeing from the verify command you may need it based on what's getting added by the other things you've got in your string.
Looking at the doc, DH is still "sufficient" and "ECDH" is good, so you could take out the !DH, add ECDH?

ArjanBroekhuizen · ‎10-04-2022

Hi Ken,

Thanks for your reply. The SSLv3 ciphers are in use rigth now, it is correct that you see this when you verify the string. I'm trying to figure out if this is necesarry. Otherwise I want to exclude this ciphers.

With the current string we only have ECDHE-ciphers, but we see that some connections are not accepted because of the other side is using DH-ciphers. With the new string we add some off the DH-ciphers.

Ken Stieers · ‎10-04-2022

Right... you want to see if !SSL3 is required, correct?
Take your string, remove the !SSL3, use SSLVERIFY with that string to see what ciphers would be available.
Do you still get DH ciphers... you can probably check your mail logs for mail from the sites you mention that use DH, and check to see if the cipher negotiated was in that list.

ArjanBroekhuizen · ‎10-06-2022

Actually, I don't want to use the SSLv3 ciphers for the mail communication. But when the ESA were configured for us, there was an issue with communication between the Cisco ESA en SMA. The ciphers were configured as they are now. So I don't now if SSLv3 is mandatory for the Cisco-communication.

Henk Fictorie - Ulrich · ‎10-03-2022

Arjan, for a customer of ours we have a 100% score on internet.nl. We use the following Ciphers settings for them:

Inbound SMTP:
Methods:     TLS v1.2
SSL Cipher(s) to use:     ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256@STRENGTH:-aNULL:-EXPORT:-IDEA
TLS Renegotiation:     Disabled

Outbound SMTP:
Methods:     TLS v1.2
SSL Cipher(s) to use:     HIGH:-SSLv2:-aNULL:!RC4:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA:-AES256-GCM-SHA384:-AES256-SHA256:-AES256-SHA:-EXPORT:-IDEA

ArjanBroekhuizen · ‎10-04-2022

Hello Henk,

Thanks for your reply. Right now we only have ECDHE-ciphers and a score of 100% of internet.nl. The 'problem' is that not all connections are accepted, because of the other side is using DH-ciphers.