TLS Method and Ciphers for GUI

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 12:57 PM - edited 03-08-2019 07:36 PM
We are currently updating our Ciphers we use on our ESA's and SMA's. This question is specific to the GUI. I want to make sure when our security group scans our devices with Qualys that nothing shows up for TLS1.0 or SSLv3 on port 443 (GUI). We have the method set to TLS1.2 only. With that set, I set the ciphers to begin with as:
HIGH:!SSLv2:!SSLv3:-eNULL:-aNULL:-EXPORT:@STRENGTH
The issue I have is unless I remove the !SSLv3, Firefox (52.7.2) will not connect to the server.
An error occurred during a connection to xxxx.xxxxxx.net. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
IE and Chrome are fine.
This seems to be the case for both the ESA and SMA. If I remove the -SSLv3, it seems to work fine. What are the recommended settings for an ESA currently for the GUI portion ( inbound and outbound TLS are a whole other animal ).
When I do a verify for that cipher setting on the ESA, it gives me:
ECDHE-RSA-AES256-GCM-SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
ECDHE-RSA-AES256-SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
DH-DSS-AES256-GCM-SHA384 |
DHE-DSS-AES256-GCM-SHA384 |
DH-RSA-AES256-GCM-SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
DHE-RSA-AES256-SHA256 |
DHE-DSS-AES256-SHA256 |
DH-RSA-AES256-SHA256 |
DH-DSS-AES256-SHA256 |
AES256-GCM-SHA384 |
AES256-SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
ECDHE-RSA-AES128-SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
DH-DSS-AES128-GCM-SHA256 |
DHE-DSS-AES128-GCM-SHA256 |
DH-RSA-AES128-GCM-SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
DHE-RSA-AES128-SHA256 |
DHE-DSS-AES128-SHA256 |
DH-RSA-AES128-SHA256 |
DH-DSS-AES128-SHA256 |
AES128-GCM-SHA256 |
AES128-SHA256 |
- Labels:
-
Email Security

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 09:39 PM
Removing SSLv3 availability for GUI should stop SSLv3 as a protocol from being used. I assume with "!SSLv3" it could be one of the SSLv3 ciphers are being requested by Firefox but you had removed them from the list completely.
Where as -SSLv3 can still allow it to be negotiated. (cipher, not the SSLv3 protocol).
https://www.openssl.org/docs/manmaster/man1/ciphers.html#CIPHER_LIST_FORMAT
Regards,
Matthew
