Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
4623
Views
0
Helpful
4
Replies

SSLV3 to be disabled and TLS1.2 enabled and end user email with sslv3

arumugasamy
Level 1
Level 1

‎02-12-2017 02:04 AM

Team,

customer wants to disable SSL v3 according to the report given by Audit team, C170 in cluster running with 8.5.6 and customer wants to enable TLS 1.2 and to disable SSL V3. If we disable SSL v3 then what could be the impact of receiving the email with SSLv3. Does the c170 inspect the email with SSL v3?. Current version 8.5.6 not supprting TLS v1.2 so that going for upgrade to 8.5.7 - > 9.0.0 > 9.1.0.

Pls give your suggestion.

Thanks

Labels:
0 Helpful
4 Replies 4

Robert Sherwin
Cisco Employee
Cisco Employee

‎02-12-2017 09:18 AM

Recommendation would be to upgrade through to 10.0.1-087, which provides the capability of disabling the ciphers you wish, and provides you with additional OS enhancements and bug fixes.

The impact of making changes to the ciphers would be to the sender/servers that communicate with you using the lower ciphers.  They may be unable to communicate properly.  You'll need to keep an eye on the mail logs for your appliances, and to see if "TLS required" mail is interfered with.

From the release notes for 10.0:

Prior to this release, the supported methods were TLS v1/TLS v1.2, SSL v3, and SSL v2.

After upgrading to this release, the supported methods are:

• TLS v1.1

• TLS v1.2

• TLS v1.0

• SSL v3

• SSL v2

Keep in mind that,

• You cannot enable SSL v2 and TLS v1 methods simultaneously. However, you can enable these methods in conjunction with SSL v3 method.

• You cannot enable TLS v1.0 and v1.1 methods simultaneously. However, you can enable these methods in conjunction with TLS v1.2 method.

Cheers,
Robert Sherwin

Cheers,
Robert Sherwin
0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee

‎02-12-2017 11:46 PM

Hi,

TLS v1.2 is available in Async OS 9.5 and above so you would certainly need to upgrade the devices in order to be able to use TLS v1.2.

SSLv3 is recommended to be disabled due to known vulnerabilities and can be done from Sysetm Administration -> SSL Configuration, however SSLv3 ciphers would still be used by TLSv1.

Thanks!

Libin Varghese

0 Helpful

arumugasamy
Level 1
Level 1
In response to Libin Varghese

‎02-13-2017 12:33 AM

Thanks Libin,

Thanks a lot

I forwarded the message to the customer.

So if ironport received the email with SSLv3 it would inspect it. This one customer wants to confirm,

Also we noticed image upto 9.1.0 available to install under the upgrade menu in system adminstration

How to get 9.5 image?

0 Helpful

Libin Varghese
Cisco Employee
Cisco Employee
In response to arumugasamy

‎02-13-2017 05:37 AM

I'm not sure what you mean by inspecting SSLv3.

SSLv3 would not be offered by the appliance for TLS negotiation if disabled.

You can upgrade to release 9.5.0-201 from the following versions:

• 8.5.6-106

• 9.1.0-032

• 9.5.0-144

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa9-5/ESA_9-5_Release_Notes.pdf

You can upgrade to any image above 9.5 to use TLSv1.2.

Please review all release notes below:

http://www.cisco.com/c/en/us/support/security/email-security-appliance/products-release-notes-list.html

Thanks!

Libin V

0 Helpful
Top