Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5136
Views
10
Helpful
18
Replies

IronPort Message Gateway - TLS Outbound Ciphers

compton18
Level 1
Level 1

‎11-04-2014 03:06 PM

Bare with me here, im learning as I go...

We are currently running our outgoing cipher as :  AES256-SHA due to a requirement with a receiving party. We occasionally have an issue sending mail to a few other domains in which we have found disabling TLS fixes the issue. I have been unable to get in touch with the right people or people on the receiving end when this problem occurs to see if they have this cipher available. It appears that if they don't have it that TLS would fail based on this article http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117855-technote-esa-00.html as we have to have a matching cipher in order to send mail over TLS

Is there a way to remotely find out what Ciphers are available on a remote server? I have tired www.checktls.com  but I would assume this negotiates and reports what it can use or negotiate not what is available for me to compare to.

It also looks like I can run multiple ciphers in a specified order but I cant follow the CLI guide it basically says pick one of the following which does not line up with the AES256-SHA setting that is in use..... how would I use AES256-SHA as the primary for my requirement and what other ones should I run that most platforms have and can negotiate with?

In SSLCONFIG I only see the following options when configuring the outgoing cipher, I don't see the one I am currently using or what I can potentially use?

1. SSL v2.

2. SSL v3

3. TLS v1

4. SSL v2 and v3

5. SSL v3 and TLS v1

6. SSL v2, v3 and TLS v1

 

I also don't understand why if TLS  can not agree on a cipher why it would not revert to no TLS. My Default destination control for TLS Support is "Prefered" not required and would have applied to the few domains that I had to disable it for.

Labels:
0 Helpful
18 Replies 18

srinivasmurthy
Level 1
Level 1
In response to Alibek Ismailov

‎05-24-2018 04:52 AM

Hello,

 

We are using CISCO ASA C370 appliance with OS 10.0.2. Need information on how to increase the Cipher strength to next level. Any suggestion will be appreciated.

 

version=TLSv1.2 cipher=RC4-SHA bits=128 verify=NOT

0 Helpful

dmccabej
Cisco Employee
Cisco Employee
In response to srinivasmurthy

‎05-24-2018 07:36 AM

Hello,

 

The posts above within this thread go over exactly what you're asking regarding modifying the cipher strength. I would recommend going over them and testing different cipher strings to fit your needs.

 

Thanks!

-Dennis M.

0 Helpful

Doug Maxfield
Level 1
Level 1
In response to srinivasmurthy

‎05-24-2018 01:39 PM

We recently got "caught" on this.  We had our ciphers too strong and we were not able to communicate with another sender, who happened also to be using a Cisco ESA.  After some discussions on the forums and Remote Access, we were able to determine the best cipher to use, which I believe is the recommended one by Cisco:

 

MEDIUM:HIGH:-SSLv2:-EXPORT:-aNULL:@STRENGTH

 

Since changing to that, we have had zero problems with anyone set to "Required" TLS.

 

Hope this helps.

 

Doug

0 Helpful

mark fitzgerald
Level 1
Level 1
In response to Doug Maxfield

‎07-22-2019 05:40 AM

I'm not sure that string protects you against the more recent vulnerabilities, though does it?

0 Helpful
Customers Also Viewed These Support Documents