Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
2102
Views
0
Helpful
2
Replies

Setup Cipher security TLSv1.2 GCM

Siebe
Level 1
Level 1

‎03-22-2021 06:42 AM

Hi,


At this moment i'm busy in a test environment to setup an appliance to only use GCM Ciphers and TLS v1.2 for in- and outbound SMTP connections.

As a method i configured TLS 1.2. The GCM Ciphers are only available in the HIGH category Ciphers (checked via SSLconfig -> verify). So the Ciphers to use would be: HIGH:-EDCH:-DH:-DH/RSA:-DH/DSS:-RSA:-anull.

Is this correct ?

 

How can you verify which ciphers the appliance is supporting via Putty or Telnet. The appliance is not connected to the internet at this moment. So i can't use an external sournce

Labels:
0 Helpful
2 Replies 2

Ken Stieers
VIP
VIP

‎03-24-2021 07:51 AM

Hey Siebe.

 

If you use -EDCH, you'll drop a stack of the GCM ciphers....

-DH/RSA and -DH/DSS aren't valid. 

 

You can use OpenSSL to test your cipher string> 

Openssl ciphers <cipherstring>

 

'openssl ciphers AESGCM' only gets you this list.

TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-DSS-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ADH-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:ADH-AES128-GCM-SHA256:RSA-PSK-AES256-GCM-SHA384:DHE-PSK-AES256-GCM-SHA384:AES256-GCM-SHA384:PSK-AES256-GCM-SHA384:RSA-PSK-AES128-GCM-SHA256:DHE-PSK-AES128-GCM-SHA256:AES128-GCM-SHA256:PSK-AES128-GCM-SHA256

 

Someone from Cisco may need to pipe up with any differences between OpenSSL and Cisco's implementation of SSL.

 

 

0 Helpful

pverberne
Level 1
Level 1

‎03-28-2021 03:49 AM - edited ‎03-28-2021 03:50 AM

Hi Siebe,

 

To only use GCM-based ciphers you could configure something like ECDHE+AESGCM.

You can use openssl (openssl ciphers -V ´ECDHE+AESGCM´) to check what ciphers are selected. Be careful though ... different versions of openssl produce different results, so better stick as close to the openssl-version that is used on the ESA as possible.

 

If you want to check a "live" system for ciphers used, even when not connected to the internet, you can use openssl.sh (https://testssl.sh/) on a local machine. You would execute a command similar to the following example to see what ciphers are being used by the ESA-box: ./testssl.sh --starttls smtp smtp.youresa.demo:25

 

Cheers!

 

0 Helpful
Customers Also Viewed These Support Documents
Top