TLS Method vs Cipher

Tony Kilbarger · ‎02-22-2018

I have a question involving TLS. When setting up SSL configuration lets say for inbound email, we can set which methods to use, then we can set a cipher string. In the methods I can choose to enable SSLv3 or not to. Then in the Cipher string itself I can choose to include -SSLv3 to not use SSLv3. What is the difference between disabling it in the Method or in the Cipher string? The results definitely look different. For example if I include -SSLv3 in the CIpher, I no longer get email from AOL in TLS. This is regardless if it is on or off in the Method. If I remove the -SSLv3 ( even without SSLv3 checked as a method) it comes in with TLS I see "TLS success protocol TLSv1 cipher AES256-SHA". Note it says TLSv1, not SSLv3... What am I missing.

Libin Varghese · ‎02-22-2018

SSLv3 ciphers are used by method SSLv3 and TLSv1.

So removing SSLv3 ciphers prevent TLS negotiation using both methods.

Starting TLSv1.2, it had its own sets of ciphers and did not rely on SSLv3 ciphers.

Regards

Libin Varghese

Tony Kilbarger · ‎02-23-2018

Thanks Libin, one more question. One step further. I also see in our logs email with another domain ( aetna.com ) that shows this:

DCID 5720101 TLS success protocol TLSv1.2 cipher AES256-SHA. So is that cipher also valid in TLSv1.2?

We would like to disable anything SSLv3 but I don't want to break enforced TLS connections.

Libin Varghese · ‎02-24-2018

Disabling SSLv3 should not be problem, however disabling SSLv3 ciphers would prevent TLSv1 negotiations.

TLSv1.2 has its own set of dedicated ciphers, and can be verified using command sslconfig -> verify.

Regards,

Libin Varghese