TLS Error

Guillermo Hurtado · ‎07-14-2017

Hi Team

We got the next error on TLS connection:

TLS failed: (336151574, 'error:14094416:SSL routines:SSL3_READ_BYTES:sslv3 alert certificate unknown')

This error are reported only with one sender. We are usind the ESA Demo Certificate. Almost all TLS connections are succesfull.

Plesa let me know if we can resolve this issue.

Bet Regards

Ken Stieers · ‎07-14-2017

You really should change your SSL configuration. Turn off SSLv3, and set your cipher string to something like this: MEDIUM:HIGH:!RC4:!aNULL:!MD5:!DSS:!EXPORT:@STRENGTH

If this is outgoing mail, under Mail Policies/Destination Controls, what's the TLS support setting that applies to this domain (might be the default). If its "Preferred - Verify" and they are using a Demo cert or self signed cert, this will fail since the ESA can't confirm that the server name matches the cert... its like going to a web site with a self signed cert.. your browser throws an error.

If you're set to "Preferred - Verify", it will fail. If you're set to Preferred, it will go encrypted.

Guillermo Hurtado · ‎07-14-2017

Thank you Ken.

Libin Varghese · ‎07-14-2017

Hi,

It appears the other side only allows TLS from senders with trusted certificate.

Self-signed ESA demo certificate are for testing purposes only and it is recommend you purchase a signed certificate for TLS from a trusted CA.

http://www.cisco.com/c/en/us/support/docs/security/email-security-appliance/118844-technote-esa-00.html

Regards,

Libin Varghese

Guillermo Hurtado · ‎07-14-2017

Thanks four your answer Libin. We will check the sign certificated.

Regards.