cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
163
Views
0
Helpful
5
Replies
Highlighted

Reg. SSL configuration in ESA

Refer the below SSL Config. setting (sample)

 

sslconfig settings:

GUI HTTPS method: tlsv1/tlsv1.2

GUI HTTPS ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

Inbound SMTP method: tlsv1/tlsv1.2

Inbound SMTP ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

Outbound SMTP method: tlsv1/tlsv1.2

Outbound SMTP ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

 

 

 

Queries:

 

  1. Wants to know what all ciphers we are using.
  2. What is the meaning of  -, !, @ as mentioned below:

 

-aNULL

!RC4

@STRENGTH

-EXPORT

 

1 ACCEPTED SOLUTION

Accepted Solutions
Collaborator

Re: Reg. SSL configuration in ESA

There are overlaps in the cipher sets. For example some ssl3 cioger sers are in the tls1.0 set.

If you used

-SSL3:TLS1.0

Some SSL3 ciphers would be re-added to the final set.


!SSL3:TLS1.0

Wouldn't let those SSL3 strings get re-added
5 REPLIES 5
Collaborator

Re: Reg. SSL configuration in ESA

The list of ciphers is documented here:

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

 

 

You're using the list in HIGH, and MEDIUM, with the SSLv2, RC4, aNULL removed, sorted by the "strength" (bit length) and then EXPORT set removed.

 

The  "-" says remove this cipher set.

The "!" says remove this cipher set and don't let something re-add down the line.... 

So if someone wrote a string like this:

 

TLS1:-aNULL:TLS1.2 

 

you would get the TLS_RSA_WITH_NULL_SHA256 in the final list of possible ciphers.

 

With a !aNULL, you wouldn't.

 

 

 

 

 

Re: Reg. SSL configuration in ESA

Thanks...
Could you please explain little bit more about:
The "-" says remove this cipher set.
The "!" says remove this cipher set and don't let something re-add down the line
And EXPORT once.
Collaborator

Re: Reg. SSL configuration in ESA

There are overlaps in the cipher sets. For example some ssl3 cioger sers are in the tls1.0 set.

If you used

-SSL3:TLS1.0

Some SSL3 ciphers would be re-added to the final set.


!SSL3:TLS1.0

Wouldn't let those SSL3 strings get re-added
Collaborator

Re: Reg. SSL configuration in ESA

If you go to the ESA command line, Enter "sslconfig" then "verify", and paste in your string, it will print out the ciphers that it will use.

 

If you need to check a specific email conversation, the mail tracking log will show you what got negotiated for that specific email. 

 

Re: Reg. SSL configuration in ESA

Thanks