Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
11644
Views
0
Helpful
21
Replies

Scan revealed weak ssl cipher.

Go to solution
jsalgado2001
Level 1
Level 1

‎02-08-2016 07:37 AM

I'm new to these ESAs C170s and one of our guys ran a scan and it came up with "SSL weak cipher vulnerability".

Looking in the GUI under System Administration > SSL Configuration I see SSL v3 enabled.

Also via the CLI:

sslconfig settings:
GUI HTTPS method: sslv3tlsv1/tlsv1.2
GUI HTTPS ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Inbound SMTP method: sslv3tlsv1/tlsv1.2
Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Outbound SMTP method: sslv3tlsv1/tlsv1.2
Outbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT

So it looks like these are the default settings of the C170.  I've come across numerous articles that state SSL v3 should be disabled and only to run the following to set all three interfaces, (GUI HTTPS, Inbound SMTP:, Outbound SMTP):

MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:
-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

Per the tech note here:
http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/117855-technote-esa-00.html

So since I'm new to this, I'm assuming I can uncheck SSL v3 in the GUI interface and also just put in the string in the GUI interface for all 3 SSL Ciphers to use: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

So in the end my config should look like this screenshot?
http://www.cisco.com/c/dam/en/us/support/docs/security/email-security-appliance/117864-configure-esa-02.png

Any risk of disabling SSL v3 and adding the above cipher command as shown exactly like the screenshot above?

Labels:
0 Helpful
21 Replies 21

Go to solution
Doug Maxfield
Level 1
Level 1
In response to Doug Maxfield

‎03-23-2016 02:07 PM

Just an update.  We had to add back in :DES on our Outbound SMTP.  Had a mail server that we could not sent to and they wouldn't check their ciphers.  What security cipher impact will I have by allowing DES again.

Thanks,

Doug

0 Helpful

Go to solution
jsalgado2001
Level 1
Level 1
In response to Doug Maxfield

‎03-24-2016 12:37 PM

I've had 4 external companies I've had to work with now due to "no shared cipher" problems.  Most all of them were running Exchange 2007 on Server 2003.  

Having them run this patch will enable them to handshake using AES128-SHA or AES256-SHA

https://support.microsoft.com/en-us/kb/948963

I'm seeing the following when they send to my Gmail account:

version=TLS1 cipher=DES-CBC3-SHA bits=112/168
0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to jsalgado2001

‎03-24-2016 12:49 PM

I'll give that a shot.  Not sure of what the other system is running.  The person I'm dealing with is "hell bent" on it's a Cisco problem not be able to "train down" from TLS1.2 to TLSv1.  Tried to explain many times that it was a cipher problem, but got the typical "My system, my rule" game.

0 Helpful

Go to solution
jsalgado2001
Level 1
Level 1
In response to Doug Maxfield

‎03-25-2016 05:05 AM

Normally what I've been doing is grepping the ip address and then doing a grep on the icid and it will show a "no shared cipher" error.  I take a sceenshot and email it to them.  Most of the time that works.

0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to jsalgado2001

‎03-25-2016 05:40 AM

The error that I was seeing in my logs was "Network Error".  As soon as I put in 3DES in my ciphers, I was able to send TLS to them.  I don't want to have 3DES in the cipher as the one that I was using was very secure.  Just trying to find out the impact of have 3DES on.

0 Helpful

Go to solution
jsalgado2001
Level 1
Level 1
In response to Doug Maxfield

‎03-25-2016 05:56 AM

I did see those errors as well but also saw the "no shared cipher" error.  I'm a cipher newb and don't know much about all this stuff.  Still learning.

SSLLabs has a document and it states:

3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients.

0 Helpful

Go to solution
Doug Maxfield
Level 1
Level 1
In response to jsalgado2001

‎03-25-2016 06:10 AM

Thanks for the info.  No expert on ciphers either.  I know that I was able to pass our PCI testing with the ciphers that I posted here.  Not sure now what's going to happen on the next scan.  Probably have to create an exception, which sucks.

I have it at the end of my allowed ciphers, but until this other site upgrades the mail product so that it supports TLS1.2 or better ciphers, I guess I'm stuck having 3DES for now.

0 Helpful
Customers Also Viewed These Support Documents