cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
208
Views
0
Helpful
7
Replies
Beginner

TLS Settings on Cisco C170

Hi, 

 

I've setup TLS and certificate on my cisco c170, i've used https://www.checktls.com/TestReceiver and everything is OK and 100% but i have a sender that is using minecast that seems to have this error when they're sending encrypted emails:

 

"Unable to negotiate Opportunistic TLS due to Received fatal alert: unknown_ca"

 

Is there something i need to change on the c170 device?

 

Thanks

7 REPLIES 7
Engager

Re: TLS Settings on Cisco C170

Is the cert on your ESA signed by a public CA?




Beginner

Re: TLS Settings on Cisco C170

Yes its signed by RapidSSL 

Cisco Employee

Re: TLS Settings on Cisco C170

Hello,

 

One thing to note would be that CheckTLS automatically rearranges (or corrects if not already) your certificate chain. So, that is one thing you'll want to confirm. You can check this by selecting the certificate on the ESA and then confirming the chain is in the correct order.

 

Correct chain example:

 

Server Certificate: esa1.abc.com issued by ca-int.xyz.com

Intermediate Certificate: ca-int.xyz.com issued by ca-root.xyz.com

 

Incorrect chain example:

 

Server Certificate: esa1.abc.com issued by ca-int.xyz.com

Intermediate Certificate: ca-root.xyz.com issued by ca-root.xyz.com

 

If the chain is correct then it is most likely one of two things, either the ESA does not trust the Mimecast CA or Mimecast does not trust the ESA CA. 

 

Thanks!

-Dennis M.

 

 

Beginner

Re: TLS Settings on Cisco C170

not sire if i got this in the right
Certificate 1 of 3 in chain: Cert VALIDATED: ok
subject= /CN=*(Wildcard domain name)
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/
CN=RapidSSL RSA CA 2018
Certificate 2 of 3 in chain: Cert VALIDATED: ok
Not Valid Before: Nov 6 12:23:33 2017 GMT
Not Valid After: Nov 6 12:23:33 2027 GMT
subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=RapidSSL RSA CA 2018
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Certificate 3 of 3 in chain: Cert VALIDATED: ok
Not Valid Before: Nov 10 00:00:00 2006 GMT
Not Valid After: Nov 10 00:00:00 2031 GMT
subject= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
issuer= /C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
Participant

Re: TLS Settings on Cisco C170

Please ask your customer to open a ticket with MimeCast and ask them to disable certificate verification for your domain.

 

Had this 2 x in last 36 months, dont know why but this is the only workaround possible.

Cisco Employee

Re: TLS Settings on Cisco C170

What does the output show on the ESA itself? Can you share a screenshot?

 

Thanks!

-Dennis M.

Highlighted
Participant

Re: TLS Settings on Cisco C170

MIMECast does cert validation which requires the hostnames, certnames and trusts to be correctly aligned. Since they only have a subset of CA chains in their store we had to ask them to disable some of those features for us in the past.

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here