Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1505
Views
5
Helpful
1
Replies

Force PFS in a TLS Communication (PFS only)

Go to solution
Secnet DRVBundGQ
Level 1
Level 1

‎09-04-2018 06:44 AM

I want to force every TLS communication with PFS.

Is it correct to use only EDH+<cipher or cipher group name> as the  Cipher for my plan?

 

https://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/200169-Configure-ESA-to-prefer-Perfect-Forward.html

 

The ESA supports these ciphers with the default sslconfig settings (:ALL), but does not prefer it. If you want to prefer ciphers that offer PFS, you need to change your sslconfig and add EDH or a combination EDH+<cipher or cipher group name> to your cipher selection.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎09-06-2018 11:02 AM

Hello,

 

The article you shared is correct and provides some detailed steps on how to setup your cipher string(s).

 

I would say that most will need to be very careful about limiting the ESA to only a small subset of available ciphers for TLS communication, since certain ciphers may not be widely adopted. 

 

I would personally probably setup the cipher string to instead prefer/offer the PFS-type ciphers first, but still include other high secure ciphers, and then let the other end decide on which to use. 

 

Once you maybe put that into practice and test for a few weeks, you can search through the logs to see what type of ciphers are still being used for TLS communication, and if you need to keep any.

 

Thanks!

-Dennis M.

View solution in original post

1 Reply 1

Go to solution
dmccabej
Cisco Employee
Cisco Employee

‎09-06-2018 11:02 AM

Hello,

 

The article you shared is correct and provides some detailed steps on how to setup your cipher string(s).

 

I would say that most will need to be very careful about limiting the ESA to only a small subset of available ciphers for TLS communication, since certain ciphers may not be widely adopted. 

 

I would personally probably setup the cipher string to instead prefer/offer the PFS-type ciphers first, but still include other high secure ciphers, and then let the other end decide on which to use. 

 

Once you maybe put that into practice and test for a few weeks, you can search through the logs to see what type of ciphers are still being used for TLS communication, and if you need to keep any.

 

Thanks!

-Dennis M.

Customers Also Viewed These Support Documents