- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-10-2018 10:31 PM - edited 03-08-2019 07:36 PM
- Labels:
-
Email Security
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2018 09:40 PM
Hi Matthew,
Issue is resolved,
GUI is accessible after enabling the TLSv1.1 & TLSv1.2 for WEBUI.
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 08:16 PM
Could you try a different browser and see if it returns any availability of access.
Also by SSLv3 i assume the protocol on the checkboxes for GUI?
Please ensure you have valid ciphers available to allow negotiation as well.
Regards,
Matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 09:36 PM
Hi Matthew,
Yes, I have checked on multiple browsers, and these are SMA devices and i have disabled SSLv3 for all the four services; EUQ, WEBUI, LDAP, UPDATER, i tried to re-enable with only WEBUI service but the issue persist even after enabling for all the services, Yes its giving error for ciphers after enabling for all the services, however i haven't made any changes for ciphers i simply disabled the SSLv3 for all the services.
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 09:46 PM
When attempting to login now (even with SSLv3 enabled) it's giving you an SSL type error on the browser?
Could you try to clear any cache and cookies and re-try?
Regards,
Matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:00 PM
Hi Matthew,
Please find the below error given by web browser, after deleting all the history and cookies.
This site can’t provide a secure connection
XXX.XXX.XXX.XXX uses an unsupported protocol.
ERR_SSL_VERSION_OR_CIPHER_MISMATCH
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:07 PM
It seems the SSL configuration may not be properly committing for the services required.
Are you able to use the CLI and mail the configuration to yourself.
Within that XML check the sslconfig and verify:
<ssl>
<ssl_inbound_method>tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>tlsv1_0tlsv1_1tlsv1_2</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_gui_ciphers>
</ssl>
<gui_ssl_tls_versions>
<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
</gui_ssl_tls_versions>
(this is my lab device on version 11)
Regards,
Matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:20 PM
Hi Matthew,
Please find below mentioned SSL Configuration.
<ssl>
<ssl_inbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-
EXPORT</ssl_gui_ciphers>
</ssl>
<gui_ssl_tls_versions>
<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
<gui_ssl_tls_version>SSLv3.0</gui_ssl_tls_version>
</gui_ssl_tls_versions>
Note: This is an old configuration file, as i don't know how to check through CLI for current configuration.
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:25 PM
You can go on your SMA CLI -> mailconfig (or showconfig and press anykey until you find the ssl part, but that wil ltake longer).
So your old config it had both SSLv3 and TLS1 for it - cipher was pretty lax as well.
If the current config after commits shows differently you could consider XML editing and re-pasting the configuration back in.
Otherwise; if possible as it -may- get complex; if you can open a TAC case and share access to the SMA, it would help in that regard.
From what i can see the SSL config in your configuration file (old one) would work fine.
Regards,
matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:40 PM
Hi Matthew
Please find the current configuration below:
<ssl>
<ssl_inbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_inbound_method>
<ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_inbound_ciphers>
<ssl_outbound_method>sslv3tlsv1_0tlsv1_1tlsv1_2</ssl_outbound_method>
<ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_outbound_ciphers>
<ssl_gui_method>tlsv1</ssl_gui_method>
<ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT</ssl_gui_ciphers>
</ssl>
<gui_ssl_tls_versions>
<gui_ssl_tls_version>TLSv1.0</gui_ssl_tls_version>
</gui_ssl_tls_versions>
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-11-2018 10:52 PM
It looks like your SMA is set to use TLS1.0 for GUI.
Your browsers however, it seems it may not be negotiating SSL (TLSv1) properly if it's generating that error.
This cipher list is allowing a lot of available ciphers for negotiation, but if the the protocol negotiation fails we may not get to this stage.
Can you verify what happens if you re-enable SSLv3 for WebUI like your older config.
Once done, press enter a few times and commit; then retry.
I'm using latest firefox on my PC with SMA allowing TLSv1 only and it's operational on my end.
Regards,
matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2018 09:40 PM
Hi Matthew,
Issue is resolved,
GUI is accessible after enabling the TLSv1.1 & TLSv1.2 for WEBUI.
Regards,
Neel Mehta

- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2018 09:48 PM
Happy to hear you were able to resolve it :).
Regards,
matthew
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
04-12-2018 09:51 PM
Hi Matthew,
Thank You :D, and also thanks for your help too for narrow down the issue...
