Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

BUG #CSCur27131 - Evaluation of CVE-2014-3566 on Cisco Email Security Appliance

I have raised a support case with TAC to try and get more information on the preferred config as well as what Ciphers then become available. Points raised in the support case are as follows:

  • Current config based from existing artilce pre-POODLE > MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  • Should the new config be > MEDIUM:HIGH:-SSLv2:-SSLv3:-aNULL:@STRENGTH

Use of strength meaning that the Ciphers are ordered and presented strongest to weakest as negotiation should occur at the first mutually accepted cipher.

  • What are the TLSv1 Ciphers used by Ironport (verify under sslconfig CLI appears only to list SSL ciphers)
  • Finally, does the Ironport support or plan to support in the future TLSv1.1 and TLSv1.2 ciphers?

Response from TAC so far is the same as the referenced article - https://tools.cisco.com/bugsearch/bug/CSCur27131 which doesn't address all my points

Paul

 

Everyone's tags (1)
2 REPLIES
New Member

Negating SSLv2 and SSLv3 in

Negating SSLv2 and SSLv3 in the cipher suite has no effect as long as only enabled TLSv1 is enabled.

And reordering ciphers by strength won't bring anything since the client's ciphers order will always be preferred.

Also, MD5 should be disabled as it's widely considered too weak for the job.

My recommendation would be to use the following suite > HIGH:MEDIUM:!aNULL:!MD5

New Member

Nicolas, Thanks for your

Nicolas,

 

Thanks for your response.

 

Paul

442
Views
0
Helpful
2
Replies