Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3179
Views
0
Helpful
5
Replies

SSL Config Inbound and Outbound TLS ESA 10.0.2

Tony Kilbarger
Level 1
Level 1

‎01-16-2018 01:17 PM - edited ‎03-08-2019 07:31 PM

https://supportforums.cisco.com/t5/email-security/scan-revealed-weak-ssl-cipher/td-p/2805757

 

Looking at this thread from a couple years ago and it has lots of good info on SSL ciphers for TLS.  It even appears Cisco perhaps had a recommended setting to pass security scans. 

 

I am curious, is there a Cisco recommended Cipher string to use currently?  I understand we'd need to tweak it as required for our use, but something to start with.

 

Thanks for any input.

Labels:
0 Helpful
5 Replies 5

Ken Stieers
VIP
VIP

‎01-16-2018 02:06 PM

That thread you referenced and similar ones in the past couple of years are still your best source...

 

Start with something like !aNULL:!eNULL:!SSLv2:!SSLv3:!EXP:!RC4:MEDIUM:HIGH:@STRENGTH and turn off whatever else you need to/want to as you can.

 

Recently I've seen the need to add  !DES:!3DES

0 Helpful

Tony Kilbarger
Level 1
Level 1
In response to Ken Stieers

‎01-19-2018 10:53 AM

Thanks Ken.  I am starting the conversation with our security folks now and that helps me get a start.

 

0 Helpful

Alsabar
Level 1
Level 1
In response to Robert Sherwin

‎03-13-2019 03:57 PM

Hi Robert, this information is really useful. The National Cyber Security Centre (NCSC) has provided guidance on acceptable and non-acceptable cipher suites (see https://www.mailcheck.service.ncsc.gov.uk/app/domain-security/tls-advice or attached). I am trying to configure the correct settings within System Administration > SSL Configuration but am struggling to understand the settings I need to apply to meet this guidance. Please can someone advise or, if not, point me in a direction e.g. user guide etc. that might be able to help.

Preview file
15 KB
0 Helpful

Ken Stieers
VIP
VIP
In response to Alsabar

‎03-18-2019 02:50 PM

So, the ESA is basically using a tweaked version of OpenSSL, and the config is using OpenSSL cipher strings. 

Based on your document, something like this:

 

TLS1.2:SHA256:SHA384:!MD5:!NULL:!EXPORT:!DES:!3DES:@STRENGTH

 

might get you close with out having to acutally spell our that list of ciphers.  

 

https://www.openssl.org/docs/man1.0.2/man1/ciphers.html

 

download a copy of openssl, run the following command to see what pops out:

 

openssl -ciphers TLS1.2:SHA256:SHA384:!MD5:!NULL:!EXPORT:!DES:!3DES:@STRENGTH

0 Helpful
Customers Also Viewed These Support Documents