cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Cisco Secure Email Support Community

Product Support Talos Support Cisco Support Reference + Current Release
Gateway Reputation Lookup Open a support case Secure Email Guided Setup
Gateway: 14.0.1-033
Cloud Gateway Email Status Portal Support & Downloads docs.ces.cisco.com
Email and Web Manager: 14.0.0-418
Email and Web Manager Web & Email Reputation Worldwide Contacts Product Naming Quick Reference
Reporting Plug-in: 1.1.0.136
Encryption Bug Search
Encryption Plug-in: 1.2.1.167
Cloud Mailbox Notification Service
Outlook Add-in(s): More info

357
Views
10
Helpful
2
Replies
spacemeb
Beginner

TLS Configuration Requirements

Hello,

 

I am new to Cisco ESA, so can you please help me with the below? I think it must be easy for someone familiar.

 

We have a partner who want to meet the following requirements:

 

1) Minimum requirements TLSv1.2
2) Use of approved X509v3 digital certificate 
3) Certificate key size must be 2048 
4) Mail host cipher strength must be 256 or higher.

 

I think for the first requirement, it is met since cisco ESA by default supports TLSv1.1 or higher, so they will negotiate and our host will force to choose TLSv1.2.

 

See questions below: 

1. How can I see if my certificate is x509v3? is there any way to see it on ESA? I was initially searching at the network -> Certificates but I did not see anything useful, should I have a look at CLI? 

2. Where I can see my certificate key size.

3. From SSL configuration on GUI, I think by default ESA is using some 256 ciphers, of course, I know that they must be suitable with our partners in order communication to be established, can you please confirm?

 

Last but not least, is there any way all the above to be specified solely for one partner? There is the "Destination Controls" in which you can force TLS to be required for the communication, but I see no parameters/options for the above.

 

Waiting for your replies,

Thank you in advance

MEB

 

1 ACCEPTED SOLUTION

Accepted Solutions
Ken Stieers
Advocate

I’ll answer the last question first:  Most of the TLS settings are for the whole box.  Destination controls sets if certain outbound mail destinations require encryption, require verifying the certificate or use DANE to figure out which cert to use/trust.

  1. You can check your Cert by going to https://www.checktls.com/TestReceiver, put in your email and set the Output Format to CertDetail.  If will show you the cert the ESA is giving out, and tell you the version and key size.
  2. See 1…
  3. You can use OpenSSL to see what cipher’s you’re offering…   

 openssl ciphers <cipherstring>    

                will show you the list…   You may need to tighten that up… a good starting point would be something like this:

                                MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

                You might be to remove MEDIUM too…

                                HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

View solution in original post

2 REPLIES 2
spacemeb
Beginner

Any thoughts?

Ken Stieers
Advocate

I’ll answer the last question first:  Most of the TLS settings are for the whole box.  Destination controls sets if certain outbound mail destinations require encryption, require verifying the certificate or use DANE to figure out which cert to use/trust.

  1. You can check your Cert by going to https://www.checktls.com/TestReceiver, put in your email and set the Output Format to CertDetail.  If will show you the cert the ESA is giving out, and tell you the version and key size.
  2. See 1…
  3. You can use OpenSSL to see what cipher’s you’re offering…   

 openssl ciphers <cipherstring>    

                will show you the list…   You may need to tighten that up… a good starting point would be something like this:

                                MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

                You might be to remove MEDIUM too…

                                HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

View solution in original post