02-20-2017 07:33 AM
Hi Team,
Would you please let us know how to check the TLS bit length and its compatibility with the different, bit length encryption standards/device in mutual TLS hand shake with other domain/environment .
Solved! Go to Solution.
02-20-2017 12:39 PM
Hi,
You can use command "tlsverify" to confirm if tls connection is successful to a destination host.
For example for cisco.com you can verify TLS for one of its MX as below.
cisco.lab> nslookup cisco.com mx
MX=rcdn-mx-01.cisco.com PREF=20 TTL=30m
MX=alln-mx-01.cisco.com PREF=10 TTL=30m
MX=aer-mx-01.cisco.com PREF=30 TTL=30m
cisco.lab> tlsverify
Enter the TLS domain to verify against:
[]> cisco.com
Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:[cisco.com]> rcdn-mx-01.cisco.com
Connecting to 72.163.7.166 on port 25.
Connected to 72.163.7.166 from interface 172.18.124.52.
Checking TLS connection.
TLS connection established: protocol TLSv1.2, cipher RC4-SHA.
Verifying peer certificate.
Verifying alternative DNS name rcdn-mx-01.cisco.com.
Verifying alternative DNS name rcdn-inbound-a.cisco.com.
Verifying alternative DNS name rcdn-inbound-b.cisco.com.
Verifying alternative DNS name rcdn-inbound-c.cisco.com.
Verifying alternative DNS name rcdn-inbound-d.cisco.com.
Verifying alternative DNS name rcdn-inbound-e.cisco.com.
Verifying alternative DNS name rcdn-inbound-f.cisco.com.
Verifying alternative DNS name rcdn-inbound-g.cisco.com.
Verifying alternative DNS name rcdn-inbound-h.cisco.com.
Verifying alternative DNS name rcdn-inbound-i.cisco.com.
Verifying alternative DNS name rcdn-inbound-j.cisco.com.
Verifying alternative DNS name rcdn-inbound-k.cisco.com.
Verifying alternative DNS name rcdn-inbound-l.cisco.com.
Verifying alternative DNS name rcdn-inbound-m.cisco.com.
Verifying alternative DNS name rcdn-inbound-n.cisco.com.
Verifying certificate common name rcdn-mx-01.cisco.com.
TLS certificate match rcdn-mx-01.cisco.com
TLS certificate verified.
TLS connection to 72.163.7.166 succeeded.
TLS successfully connected to rcdn-mx-01.cisco.com.
TLS verification completed.
You can also use command "sslconfig" -> "verify" to review cipher strength for ciphers offered by the appliance.
Thanks!
Libin Varghese
02-20-2017 12:39 PM
Hi,
You can use command "tlsverify" to confirm if tls connection is successful to a destination host.
For example for cisco.com you can verify TLS for one of its MX as below.
cisco.lab> nslookup cisco.com mx
MX=rcdn-mx-01.cisco.com PREF=20 TTL=30m
MX=alln-mx-01.cisco.com PREF=10 TTL=30m
MX=aer-mx-01.cisco.com PREF=30 TTL=30m
cisco.lab> tlsverify
Enter the TLS domain to verify against:
[]> cisco.com
Enter the destination host to connect to. Append the port (example.com:26) if you are not connecting on port 25:[cisco.com]> rcdn-mx-01.cisco.com
Connecting to 72.163.7.166 on port 25.
Connected to 72.163.7.166 from interface 172.18.124.52.
Checking TLS connection.
TLS connection established: protocol TLSv1.2, cipher RC4-SHA.
Verifying peer certificate.
Verifying alternative DNS name rcdn-mx-01.cisco.com.
Verifying alternative DNS name rcdn-inbound-a.cisco.com.
Verifying alternative DNS name rcdn-inbound-b.cisco.com.
Verifying alternative DNS name rcdn-inbound-c.cisco.com.
Verifying alternative DNS name rcdn-inbound-d.cisco.com.
Verifying alternative DNS name rcdn-inbound-e.cisco.com.
Verifying alternative DNS name rcdn-inbound-f.cisco.com.
Verifying alternative DNS name rcdn-inbound-g.cisco.com.
Verifying alternative DNS name rcdn-inbound-h.cisco.com.
Verifying alternative DNS name rcdn-inbound-i.cisco.com.
Verifying alternative DNS name rcdn-inbound-j.cisco.com.
Verifying alternative DNS name rcdn-inbound-k.cisco.com.
Verifying alternative DNS name rcdn-inbound-l.cisco.com.
Verifying alternative DNS name rcdn-inbound-m.cisco.com.
Verifying alternative DNS name rcdn-inbound-n.cisco.com.
Verifying certificate common name rcdn-mx-01.cisco.com.
TLS certificate match rcdn-mx-01.cisco.com
TLS certificate verified.
TLS connection to 72.163.7.166 succeeded.
TLS successfully connected to rcdn-mx-01.cisco.com.
TLS verification completed.
You can also use command "sslconfig" -> "verify" to review cipher strength for ciphers offered by the appliance.
Thanks!
Libin Varghese
02-28-2017 12:49 PM
Hi Libin,
Thanks for your response, but in Specific how to know the bit
02-28-2017 12:55 PM
Hi,
You can review the ciphers offered for TLS using the command "sslconfig" -> "verify".
You can determine the current cipher string used from GUI System Administration -> SSL Configuration.
(Cluster Test)> sslconfig
sslconfig settings:
GUI HTTPS method: tlsv1/tlsv1.2
GUI HTTPS ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Inbound SMTP method: tlsv1/tlsv1.2
Inbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Outbound SMTP method: tlsv1/tlsv1.2
Outbound SMTP ciphers:
RC4-SHA
RC4-MD5
ALL
-aNULL
-EXPORT
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
- CLUSTERSET - Set how ssl settings are configured in a cluster.
- CLUSTERSHOW - Display how ssl settings are configured in a cluster.
[]> verify
Enter the ssl cipher you want to verify.
[]> RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT
- Libin Varghese
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: