Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2063
Views
10
Helpful
2
Replies

TLS Configuration Requirements

Go to solution
spacemeb
Level 1
Level 1

‎10-03-2021 02:42 AM

Hello,

 

I am new to Cisco ESA, so can you please help me with the below? I think it must be easy for someone familiar.

 

We have a partner who want to meet the following requirements:

 

1) Minimum requirements TLSv1.2
2) Use of approved X509v3 digital certificate 
3) Certificate key size must be 2048 
4) Mail host cipher strength must be 256 or higher.

 

I think for the first requirement, it is met since cisco ESA by default supports TLSv1.1 or higher, so they will negotiate and our host will force to choose TLSv1.2.

 

See questions below: 

1. How can I see if my certificate is x509v3? is there any way to see it on ESA? I was initially searching at the network -> Certificates but I did not see anything useful, should I have a look at CLI? 

2. Where I can see my certificate key size.

3. From SSL configuration on GUI, I think by default ESA is using some 256 ciphers, of course, I know that they must be suitable with our partners in order communication to be established, can you please confirm?

 

Last but not least, is there any way all the above to be specified solely for one partner? There is the "Destination Controls" in which you can force TLS to be required for the communication, but I see no parameters/options for the above.

 

Waiting for your replies,

Thank you in advance

MEB

 

Labels:
1 Accepted Solution

Accepted Solutions

Go to solution
Ken Stieers
VIP
VIP

‎10-04-2021 07:45 AM

I’ll answer the last question first:  Most of the TLS settings are for the whole box.  Destination controls sets if certain outbound mail destinations require encryption, require verifying the certificate or use DANE to figure out which cert to use/trust.

  1. You can check your Cert by going to https://www.checktls.com/TestReceiver, put in your email and set the Output Format to CertDetail.  If will show you the cert the ESA is giving out, and tell you the version and key size.
  2. See 1…
  3. You can use OpenSSL to see what cipher’s you’re offering…   

 openssl ciphers <cipherstring>    

                will show you the list…   You may need to tighten that up… a good starting point would be something like this:

                                MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

                You might be to remove MEDIUM too…

                                HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

View solution in original post

2 Replies 2

Go to solution
spacemeb
Level 1
Level 1

‎10-03-2021 10:44 PM

Any thoughts?

0 Helpful

Go to solution
Ken Stieers
VIP
VIP

‎10-04-2021 07:45 AM

I’ll answer the last question first:  Most of the TLS settings are for the whole box.  Destination controls sets if certain outbound mail destinations require encryption, require verifying the certificate or use DANE to figure out which cert to use/trust.

  1. You can check your Cert by going to https://www.checktls.com/TestReceiver, put in your email and set the Output Format to CertDetail.  If will show you the cert the ESA is giving out, and tell you the version and key size.
  2. See 1…
  3. You can use OpenSSL to see what cipher’s you’re offering…   

 openssl ciphers <cipherstring>    

                will show you the list…   You may need to tighten that up… a good starting point would be something like this:

                                MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

                You might be to remove MEDIUM too…

                                HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:!IDEA:@STRENGTH

Customers Also Viewed These Support Documents