Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
10111
Views
5
Helpful
8
Replies

TLS 1.1 and TLS 1.2 for IronPort Email Appliances C370 or M670

Greg Muszynski
Level 1
Level 1

‎07-20-2015 08:46 AM

wow this Forum is horrible, there is no Email topic in the Community to post in pull down

 

my question is how do we check or enable TLS 1.1. and or TLS 1.2 on the Cisco IronPort Email Appliances such as the C370 or M670

1 person had this problem
Labels:
0 Helpful
8 Replies 8

Robert Sherwin
Cisco Employee
Cisco Employee

‎07-20-2015 10:21 AM

Sorry CSC Forums aren't to your liking.

The change for TLS is starting with our 9.5/9.6 AsyncOS for Email Security release.  TLS v 1.2 is supported as of this release.  Currently, 9.6 is out as General Deployment (GD) today.

Additional Encryption Support
With AsyncOS 9.5, the Email Security Appliance now supports Transport Layer Security (TLS) 1.2. This encryption protocol is especially important in industries such as healthcare, where compliance with regulations require data transmission over the internet with TLS 1.2. Meeting these compliance requirements reduces the risk of vulnerability of data in motion with encryption best practices.

 

You will be able to see this in your mail logs, if the appliance negotiated at that level.

From the CLI, or GUI, you'll see the TLSv1.2:

> sslconfig

 

sslconfig settings:

  GUI HTTPS method:  tlsv1/tlsv1.2

  GUI HTTPS ciphers: 

        MEDIUM

        HIGH

        -SSLv2

        -aNULL

        @STRENGTH

  Inbound SMTP method:  tlsv1/tlsv1.2

  Inbound SMTP ciphers: 

        MEDIUM

        HIGH

        -SSLv2

        -aNULL

        @STRENGTH

  Outbound SMTP method:  tlsv1/tlsv1.2

  Outbound SMTP ciphers: 

        MEDIUM

        HIGH

        -SSLv2

        -aNULL

        @STRENGTH

 

-Robert

 

 

 

Cheers,
Robert Sherwin
0 Helpful

Jussi Torhonen
Level 1
Level 1
In response to Robert Sherwin

‎07-22-2015 12:04 PM

Any chance getting TLS 1.2 for quarantine https listener in a SMA running AsyncOS 9.5.0-125 GA ? There is still no sslconfig command to use. And there is no SSL Configuration in web GUI either. If downloading the configuration file, is there any way to configure TLS 1.2 into https listener?

Jussi

 

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to Jussi Torhonen

‎07-22-2015 01:17 PM

At this time, no.  Only ESA has the built in 1.2 preference w/ SSL.  This is being worked into WSA and SMA future releases.

Cheers,
Robert Sherwin
0 Helpful

Greg.Howley
Level 1
Level 1
In response to Robert Sherwin

‎09-24-2015 08:17 AM

Are the cipher settings above the recommended settings?  I see older references that seem to suggest RC4-SHA:RC4-MD5:ALL as the recommended (possibly default?) setting.

 

Could you explain what MEDIUM and HIGH encompass?
 

0 Helpful

Robert Sherwin
Cisco Employee
Cisco Employee
In response to Greg.Howley

‎09-24-2015 08:30 AM

I have been working to update and bring that information up-to-date.  Let me know if this answers your questions:

Introduction

 

This document describes how to alter the methods and ciphers that are used with Secure Socket Layer (SSL) or Transport Layer Security (TLS) configuration on the Cisco Email Security Appliance (ESA).

 

Contributed by James Noad and Robert Sherwin, Cisco TAC Engineers.

 

How to alter the methods and ciphers used with SSL/TLS

  

Note: SSL/TLS methods and ciphers should be set based on your company's specific security policies and preferences.  For a third party reference regarding ciphers, please consider Mozilla's Security/Server Side TLS for recommended server configurations and detailed information.

 

With AsyncOS for Email Security, an administrator can configure the SSL or TLS protocols for the methods and ciphers used for GUI communication, advertised for inbound connections, and requested for outbound connections with the sslconfig command:

 

example.com (SERVICE)> sslconfig

sslconfig settings:
 GUI HTTPS method: sslv3tlsv1
 GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
 Inbound SMTP method: sslv3tlsv1
 Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
 Outbound SMTP method: sslv3tlsv1
 Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3 
3. TLS v1 
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

sslconfig settings:
 GUI HTTPS method: sslv3tlsv1
 GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
 Inbound SMTP method: sslv3tlsv1
 Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
 Outbound SMTP method: sslv3tlsv1
 Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>

 

If changes are made to the SSL configuration, be sure to commit any and all changes.

 

SSL Methods

 

As of version 9.6 of AsyncOS for Email Security, the ESA is set by default for TLS v1/TLS v1.2 for method.  TLSv1.2 will take precedent in communication, if in use by both sending and receiving parties.  In order to establish a TLS connection, both sides must have at least one enabled method that matches, and at least one enabled cipher that matches.

 

Note: On versions prior to 9.6 of AsyncOS for Email Security, the default had two methods: SSL v3 and TLS v1. Some administrators may want to disable SSL v3 because of recent vulnerabilities, if SSL v3 is enabled.

 

SSL Ciphers

 

When you view the default cipher listed from the previous example, it is important to understand the reason that it shows two ciphers followed by the word ALL. Although ALL includes the two ciphers that precede it, the order of the ciphers in the cipher list determines the preference. Thus, when a TLS connection is made, the client picks the first cipher that both sides support based on the order of appearance in the list.

 

Note: RC4 ciphers are enabled by default on the ESA.  In the above example, the MEDIUM:HIGH is based on our Technote, Prevent Negotiations for Null or Anonymous Ciphers on the ESA and SMA.  For further information regarding RC4 specifically, please considerMozilla's Security/Server Side TLS, and also On the Security of RC4 in TLS and WPA presented from the USENIX Security Symposium 2013.  In order to remove RC4 ciphers from use, please see the examples below.

  

By manipulating the cipher list, you can influence which cipher gets chosen. In addition to listing specific ciphers or cipher ranges, you can also re-order them by strength by including the @STRENGTH option in the cipher string, as shown:

 

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH 

 

Please be sure to review the entire ciphers and ranges available on the ESA.  This can be seen by running the sslconfig command and then running the verify sub-command.  Options for SSL cipher categories are LOWMEDIUMHIGH, and ALL:

 

[]> verify

Enter the ssl cipher you want to verify.
[]> MEDIUM

ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5

These can also be combined to include ranges:

 

[]> verify

Enter the ssl cipher you want to verify.
[]> MEDIUM:HIGH

ADH-RC4-MD5 SSLv3 Kx=DH Au=None Enc=RC4(128) Mac=MD5 
IDEA-CBC-SHA SSLv3 Kx=RSA Au=RSA Enc=IDEA(128) Mac=SHA1
RC4-SHA SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=SHA1
RC4-MD5 SSLv3 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
IDEA-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=IDEA(128) Mac=MD5 
RC2-CBC-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC2(128) Mac=MD5 
RC4-MD5 SSLv2 Kx=RSA Au=RSA Enc=RC4(128) Mac=MD5 
ADH-CAMELLIA256-SHA SSLv3 Kx=DH Au=None Enc=Camellia(256) Mac=SHA1
DHE-RSA-CAMELLIA256-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(256) Mac=SHA1
DHE-DSS-CAMELLIA256-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(256) Mac=SHA1
CAMELLIA256-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(256) Mac=SHA1
ADH-CAMELLIA128-SHA SSLv3 Kx=DH Au=None Enc=Camellia(128) Mac=SHA1
DHE-RSA-CAMELLIA128-SHA SSLv3 Kx=DH Au=RSA Enc=Camellia(128) Mac=SHA1
DHE-DSS-CAMELLIA128-SHA SSLv3 Kx=DH Au=DSS Enc=Camellia(128) Mac=SHA1
CAMELLIA128-SHA SSLv3 Kx=RSA Au=RSA Enc=Camellia(128) Mac=SHA1
ADH-AES256-SHA SSLv3 Kx=DH Au=None Enc=AES(256) Mac=SHA1
DHE-RSA-AES256-SHA SSLv3 Kx=DH Au=RSA Enc=AES(256) Mac=SHA1
DHE-DSS-AES256-SHA SSLv3 Kx=DH Au=DSS Enc=AES(256) Mac=SHA1
AES256-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(256) Mac=SHA1
ADH-AES128-SHA SSLv3 Kx=DH Au=None Enc=AES(128) Mac=SHA1
DHE-RSA-AES128-SHA SSLv3 Kx=DH Au=RSA Enc=AES(128) Mac=SHA1
DHE-DSS-AES128-SHA SSLv3 Kx=DH Au=DSS Enc=AES(128) Mac=SHA1
AES128-SHA SSLv3 Kx=RSA Au=RSA Enc=AES(128) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5

 

Any SSL ciphers that you do not want configured and available should be removed by using the "-" option in front of the specific ciphers.  A good example would be as follows:

 

[]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:-EDH-RSA-DES-CBC3-SHA:-EDH-DSS-DES-CBC3-SHA:-DES-CBC3-SHA

 

This example would negate NULL, EDH-RSA-DES-CBC3-SHA, EDH-DSS-DES-CBC3-SHA, and DES-CBC3-SHA ciphers from being advertised and used in SSL communication.

 

You can also accomplish similar with "!" in front of the cipher group, or string, that you wish to not have available:

 

[]> MEDIUM:HIGH:-SSLv2:-aNULL:!RC4:@STRENGTH

 

This example would remove ALL RC4 ciphers from use.  The RC4-SHA and RC4-MD5 ciphers would be negated and not advertised in SSL communication.

 

If changes are made to the SSL configuration, be sure to commit any and all changes.

Cheers,
Robert Sherwin

Ken Stieers
VIP
VIP
In response to Robert Sherwin

‎09-24-2015 08:46 AM

NICE!!!! Totally forgot about the on box stuff.

 

Thanks!!
 

 

 

0 Helpful

Greg.Howley
Level 1
Level 1
In response to Ken Stieers

‎09-24-2015 08:51 AM

cool, thanks!

 

 

0 Helpful

Ken Stieers
VIP
VIP
In response to Greg.Howley

‎09-24-2015 08:43 AM

The new default is what Robert published, but you'll only see that in a new deployment.

Cypher string syntax is here:

https://www.openssl.org/docs/manmaster/apps/ciphers.html

 

 

If you grab a relatively recent version of Openssl and run this, you'll get a list of ciphers that it will use in the order that it will try to use them:

openssl ciphers -v MEDIUM:HIGH:-SSLv2:-aNULL
:@STRENGTH

 

Medium was added because not everybody is paying attention to this yet...

 

0 Helpful
Customers Also Viewed These Support Documents