cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
782
Views
0
Helpful
1
Replies

Question regarding TLS Version on IronPort

Hello dear support,

We have an Email Security Appliance on version 9.7 with TLS encryption activate for outbound/inbound emails. We see that the device accepts all versions of TLS including tls 1.0 which is a version identified as problematicall.

I see on System Administration > SSL configuration and on cli sslconfig command only appears as available tls1/1.2

I can check on appliance with upper versions it appears the same.

Are there any form of not use TLS 1.0 on encryption negotiations?

Regards,

Aitor

Everyone's tags (1)
1 REPLY 1
Cisco Employee

Hi Aitor,

Hi Aitor,

TLSv1 uses SSLv3 ciphers while TLSv1.2 has its own set of ciphers.

To ensure usage of TLSv1.2, all you would need to do is disable SSLv3 ciphers by adding -SSLv3 or !SSLv3 to the existing cipher string.

You can also upgrade to Async OS 10 to manage TLSv1 separately.

From the release notes for 10.0:

Prior to this release, the supported methods were TLS v1/TLS v1.2, SSL v3, and SSL v2.

After upgrading to this release, the supported methods are:

• TLS v1.1

• TLS v1.2

• TLS v1.0

• SSL v3

• SSL v2

Keep in mind that,

• You cannot enable SSL v2 and TLS v1 methods simultaneously. However, you can enable these methods in conjunction with SSL v3 method.

• You cannot enable TLS v1.0 and v1.1 methods simultaneously. However, you can enable these methods in conjunction with TLS v1.2 method.

Thanks!

Libin V