Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2105
Views
0
Helpful
1
Replies

Question regarding TLS Version on IronPort

aitor.domingo2190
Level 1
Level 1

‎02-15-2017 06:40 AM

Hello dear support,

We have an Email Security Appliance on version 9.7 with TLS encryption activate for outbound/inbound emails. We see that the device accepts all versions of TLS including tls 1.0 which is a version identified as problematicall.

I see on System Administration > SSL configuration and on cli sslconfig command only appears as available tls1/1.2

I can check on appliance with upper versions it appears the same.

Are there any form of not use TLS 1.0 on encryption negotiations?

Regards,

Aitor

Labels:
0 Helpful
1 Reply 1

Libin Varghese
Cisco Employee
Cisco Employee

‎02-15-2017 06:58 AM

Hi Aitor,

TLSv1 uses SSLv3 ciphers while TLSv1.2 has its own set of ciphers.

To ensure usage of TLSv1.2, all you would need to do is disable SSLv3 ciphers by adding -SSLv3 or !SSLv3 to the existing cipher string.

You can also upgrade to Async OS 10 to manage TLSv1 separately.

From the release notes for 10.0:

Prior to this release, the supported methods were TLS v1/TLS v1.2, SSL v3, and SSL v2.

After upgrading to this release, the supported methods are:

• TLS v1.1

• TLS v1.2

• TLS v1.0

• SSL v3

• SSL v2

Keep in mind that,

• You cannot enable SSL v2 and TLS v1 methods simultaneously. However, you can enable these methods in conjunction with SSL v3 method.

• You cannot enable TLS v1.0 and v1.1 methods simultaneously. However, you can enable these methods in conjunction with TLS v1.2 method.

Thanks!

Libin V

0 Helpful
Customers Also Viewed These Support Documents