We are currently updating our Ciphers we use on our ESA's and SMA's. This question is specific to the GUI. I want to make sure when our security group scans our devices with Qualys that nothing shows up for TLS1.0 or SSLv3 on port 443 (GUI). We have the method set to TLS1.2 only. With that set, I set the ciphers to begin with as:
HIGH:!SSLv2:!SSLv3:-eNULL:-aNULL:-EXPORT:@STRENGTH
The issue I have is unless I remove the !SSLv3, Firefox (52.7.2) will not connect to the server.
An error occurred during a connection to xxxx.xxxxxx.net. Cannot communicate securely with peer: no common encryption algorithm(s). Error code: SSL_ERROR_NO_CYPHER_OVERLAP
IE and Chrome are fine.
This seems to be the case for both the ESA and SMA. If I remove the -SSLv3, it seems to work fine. What are the recommended settings for an ESA currently for the GUI portion ( inbound and outbound TLS are a whole other animal ).
When I do a verify for that cipher setting on the ESA, it gives me:
ECDHE-RSA-AES256-GCM-SHA384 |
ECDHE-ECDSA-AES256-GCM-SHA384 |
ECDHE-RSA-AES256-SHA384 |
ECDHE-ECDSA-AES256-SHA384 |
DH-DSS-AES256-GCM-SHA384 |
DHE-DSS-AES256-GCM-SHA384 |
DH-RSA-AES256-GCM-SHA384 |
DHE-RSA-AES256-GCM-SHA384 |
DHE-RSA-AES256-SHA256 |
DHE-DSS-AES256-SHA256 |
DH-RSA-AES256-SHA256 |
DH-DSS-AES256-SHA256 |
AES256-GCM-SHA384 |
AES256-SHA256 |
ECDHE-RSA-AES128-GCM-SHA256 |
ECDHE-ECDSA-AES128-GCM-SHA256 |
ECDHE-RSA-AES128-SHA256 |
ECDHE-ECDSA-AES128-SHA256 |
DH-DSS-AES128-GCM-SHA256 |
DHE-DSS-AES128-GCM-SHA256 |
DH-RSA-AES128-GCM-SHA256 |
DHE-RSA-AES128-GCM-SHA256 |
DHE-RSA-AES128-SHA256 |
DHE-DSS-AES128-SHA256 |
DH-RSA-AES128-SHA256 |
DH-DSS-AES128-SHA256 |
AES128-GCM-SHA256 |
AES128-SHA256 |