Solved: TLS bit lenght/support check In C670 ESA

bsrinu001 · ‎02-20-2017

Hi Team,

Would you please let us know how to check the TLS bit length and its compatibility with the different, bit length encryption standards/device in mutual TLS hand shake with other domain/environment .

Libin Varghese · ‎02-20-2017

Hi,

You can use command "tlsverify" to confirm if tls connection is successful to a destination host.

For example for cisco.com you can verify TLS for one of its MX as below.

cisco.lab> nslookup cisco.com mx

MX=rcdn-mx-01.cisco.com PREF=20 TTL=30m
MX=alln-mx-01.cisco.com PREF=10 TTL=30m
MX=aer-mx-01.cisco.com PREF=30 TTL=30m

cisco.lab> tlsverify

Enter the TLS domain to verify against:
[]> cisco.com

Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:[cisco.com]> rcdn-mx-01.cisco.com

Connecting to 72.163.7.166 on port 25.
Connected to 72.163.7.166 from interface 172.18.124.52.
Checking TLS connection.
TLS connection established: protocol TLSv1.2, cipher RC4-SHA.
Verifying peer certificate.
Verifying alternative DNS name rcdn-mx-01.cisco.com.
Verifying alternative DNS name rcdn-inbound-a.cisco.com.
Verifying alternative DNS name rcdn-inbound-b.cisco.com.
Verifying alternative DNS name rcdn-inbound-c.cisco.com.
Verifying alternative DNS name rcdn-inbound-d.cisco.com.
Verifying alternative DNS name rcdn-inbound-e.cisco.com.
Verifying alternative DNS name rcdn-inbound-f.cisco.com.
Verifying alternative DNS name rcdn-inbound-g.cisco.com.
Verifying alternative DNS name rcdn-inbound-h.cisco.com.
Verifying alternative DNS name rcdn-inbound-i.cisco.com.
Verifying alternative DNS name rcdn-inbound-j.cisco.com.
Verifying alternative DNS name rcdn-inbound-k.cisco.com.
Verifying alternative DNS name rcdn-inbound-l.cisco.com.
Verifying alternative DNS name rcdn-inbound-m.cisco.com.
Verifying alternative DNS name rcdn-inbound-n.cisco.com.
Verifying certificate common name rcdn-mx-01.cisco.com.
TLS certificate match rcdn-mx-01.cisco.com
TLS certificate verified.
TLS connection to 72.163.7.166 succeeded.

TLS successfully connected to rcdn-mx-01.cisco.com.
TLS verification completed.

You can also use command "sslconfig" -> "verify" to review cipher strength for ciphers offered by the appliance.

Thanks!
Libin Varghese

View solution in original post

Libin Varghese · ‎02-20-2017

Hi,

You can use command "tlsverify" to confirm if tls connection is successful to a destination host.

For example for cisco.com you can verify TLS for one of its MX as below.

cisco.lab> nslookup cisco.com mx

MX=rcdn-mx-01.cisco.com PREF=20 TTL=30m
MX=alln-mx-01.cisco.com PREF=10 TTL=30m
MX=aer-mx-01.cisco.com PREF=30 TTL=30m

cisco.lab> tlsverify

Enter the TLS domain to verify against:
[]> cisco.com

Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:[cisco.com]> rcdn-mx-01.cisco.com

Connecting to 72.163.7.166 on port 25.
Connected to 72.163.7.166 from interface 172.18.124.52.
Checking TLS connection.
TLS connection established: protocol TLSv1.2, cipher RC4-SHA.
Verifying peer certificate.
Verifying alternative DNS name rcdn-mx-01.cisco.com.
Verifying alternative DNS name rcdn-inbound-a.cisco.com.
Verifying alternative DNS name rcdn-inbound-b.cisco.com.
Verifying alternative DNS name rcdn-inbound-c.cisco.com.
Verifying alternative DNS name rcdn-inbound-d.cisco.com.
Verifying alternative DNS name rcdn-inbound-e.cisco.com.
Verifying alternative DNS name rcdn-inbound-f.cisco.com.
Verifying alternative DNS name rcdn-inbound-g.cisco.com.
Verifying alternative DNS name rcdn-inbound-h.cisco.com.
Verifying alternative DNS name rcdn-inbound-i.cisco.com.
Verifying alternative DNS name rcdn-inbound-j.cisco.com.
Verifying alternative DNS name rcdn-inbound-k.cisco.com.
Verifying alternative DNS name rcdn-inbound-l.cisco.com.
Verifying alternative DNS name rcdn-inbound-m.cisco.com.
Verifying alternative DNS name rcdn-inbound-n.cisco.com.
Verifying certificate common name rcdn-mx-01.cisco.com.
TLS certificate match rcdn-mx-01.cisco.com
TLS certificate verified.
TLS connection to 72.163.7.166 succeeded.

TLS successfully connected to rcdn-mx-01.cisco.com.
TLS verification completed.

You can also use command "sslconfig" -> "verify" to review cipher strength for ciphers offered by the appliance.

Thanks!
Libin Varghese

bsrinu001 · ‎02-28-2017

Hi Libin,

Thanks for your response, but in Specific how to know the bit lenght of TLS we have on our ESA ?

Libin Varghese · ‎02-28-2017

Hi,

You can review the ciphers offered for TLS using the command "sslconfig" -> "verify".

You can determine the current cipher string used from GUI System Administration -> SSL Configuration.

(Cluster Test)> sslconfig

sslconfig settings:
GUI HTTPS method: tlsv1/tlsv1.2
GUI HTTPS ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Inbound SMTP method: tlsv1/tlsv1.2
Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Outbound SMTP method: tlsv1/tlsv1.2
Outbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
- CLUSTERSET - Set how ssl settings are configured in a cluster.
- CLUSTERSHOW - Display how ssl settings are configured in a cluster.
[]> verify

Enter the ssl cipher you want to verify.
[]> RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT

- Libin Varghese