01-16-2018 01:17 PM - edited 03-08-2019 07:31 PM
https://supportforums.cisco.com/t5/email-security/scan-revealed-weak-ssl-cipher/td-p/2805757
Looking at this thread from a couple years ago and it has lots of good info on SSL ciphers for TLS. It even appears Cisco perhaps had a recommended setting to pass security scans.
I am curious, is there a Cisco recommended Cipher string to use currently? I understand we'd need to tweak it as required for our use, but something to start with.
Thanks for any input.
01-16-2018 02:06 PM
That thread you referenced and similar ones in the past couple of years are still your best source...
Start with something like !aNULL:!eNULL:!SSLv2:!SSLv3:!EXP:!RC4:MEDIUM:HIGH:@STRENGTH and turn off whatever else you need to/want to as you can.
Recently I've seen the need to add !DES:!3DES
01-19-2018 10:53 AM
Thanks Ken. I am starting the conversation with our security folks now and that helps me get a start.
01-18-2018 06:38 PM
03-13-2019 03:57 PM
Hi Robert, this information is really useful. The National Cyber Security Centre (NCSC) has provided guidance on acceptable and non-acceptable cipher suites (see https://www.mailcheck.service.ncsc.gov.uk/app/domain-security/tls-advice or attached). I am trying to configure the correct settings within System Administration > SSL Configuration but am struggling to understand the settings I need to apply to meet this guidance. Please can someone advise or, if not, point me in a direction e.g. user guide etc. that might be able to help.
03-18-2019 02:50 PM
So, the ESA is basically using a tweaked version of OpenSSL, and the config is using OpenSSL cipher strings.
Based on your document, something like this:
TLS1.2:SHA256:SHA384:!MD5:!NULL:!EXPORT:!DES:!3DES:@STRENGTH
might get you close with out having to acutally spell our that list of ciphers.
https://www.openssl.org/docs/man1.0.2/man1/ciphers.html
download a copy of openssl, run the following command to see what pops out:
openssl -ciphers TLS1.2:SHA256:SHA384:!MD5:!NULL:!EXPORT:!DES:!3DES:@STRENGTH
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide