Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1392
Views
0
Helpful
5
Replies

Reg. SSL configuration in ESA

Go to solution
PankajSharma1807
Level 1
Level 1

‎07-18-2019 08:18 AM

Refer the below SSL Config. setting (sample)

 

sslconfig settings:

GUI HTTPS method: tlsv1/tlsv1.2

GUI HTTPS ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

Inbound SMTP method: tlsv1/tlsv1.2

Inbound SMTP ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

Outbound SMTP method: tlsv1/tlsv1.2

Outbound SMTP ciphers:

MEDIUM

HIGH

-SSLv2

-aNULL

!RC4

@STRENGTH

-EXPORT

 

 

 

Queries:

 

  1. Wants to know what all ciphers we are using.
  2. What is the meaning of  -, !, @ as mentioned below:

 

-aNULL

!RC4

@STRENGTH

-EXPORT

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP
In response to PankajSharma1807

‎07-22-2019 07:19 AM

There are overlaps in the cipher sets. For example some ssl3 cioger sers are in the tls1.0 set.

If you used

-SSL3:TLS1.0

Some SSL3 ciphers would be re-added to the final set.


!SSL3:TLS1.0

Wouldn't let those SSL3 strings get re-added

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ken Stieers
VIP
VIP

‎07-18-2019 09:03 AM

The list of ciphers is documented here:

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

 

 

You're using the list in HIGH, and MEDIUM, with the SSLv2, RC4, aNULL removed, sorted by the "strength" (bit length) and then EXPORT set removed.

 

The  "-" says remove this cipher set.

The "!" says remove this cipher set and don't let something re-add down the line.... 

So if someone wrote a string like this:

 

TLS1:-aNULL:TLS1.2 

 

you would get the TLS_RSA_WITH_NULL_SHA256 in the final list of possible ciphers.

 

With a !aNULL, you wouldn't.

 

 

 

 

 

0 Helpful

Go to solution
PankajSharma1807
Level 1
Level 1
In response to Ken Stieers

‎07-22-2019 06:31 AM

Thanks...
Could you please explain little bit more about:
The "-" says remove this cipher set.
The "!" says remove this cipher set and don't let something re-add down the line
And EXPORT once.
0 Helpful

Go to solution
Ken Stieers
VIP
VIP
In response to PankajSharma1807

‎07-22-2019 07:19 AM

There are overlaps in the cipher sets. For example some ssl3 cioger sers are in the tls1.0 set.

If you used

-SSL3:TLS1.0

Some SSL3 ciphers would be re-added to the final set.


!SSL3:TLS1.0

Wouldn't let those SSL3 strings get re-added
0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎07-18-2019 09:06 AM

If you go to the ESA command line, Enter "sslconfig" then "verify", and paste in your string, it will print out the ciphers that it will use.

 

If you need to check a specific email conversation, the mail tracking log will show you what got negotiated for that specific email. 

 

0 Helpful

Go to solution
PankajSharma1807
Level 1
Level 1
In response to Ken Stieers

‎07-22-2019 06:28 AM

Thanks
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents