Just an update. We had to add back in :DES on our Outbound SMTP. Had a mail server that we could not sent to and they wouldn't check their ciphers. What security cipher impact will I have by allowing DES again.
I'll give that a shot. Not sure of what the other system is running. The person I'm dealing with is "hell bent" on it's a Cisco problem not be able to "train down" from TLS1.2 to TLSv1. Tried to explain many times that it was a cipher problem, but got the typical "My system, my rule" game.
Normally what I've been doing is grepping the ip address and then doing a grep on the icid and it will show a "no shared cipher" error. I take a sceenshot and email it to them. Most of the time that works.
The error that I was seeing in my logs was "Network Error". As soon as I put in 3DES in my ciphers, I was able to send TLS to them. I don't want to have 3DES in the cipher as the one that I was using was very secure. Just trying to find out the impact of have 3DES on.
I did see those errors as well but also saw the "no shared cipher" error. I'm a cipher newb and don't know much about all this stuff. Still learning.
SSLLabs has a document and it states:
3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients.
Thanks for the info. No expert on ciphers either. I know that I was able to pass our PCI testing with the ciphers that I posted here. Not sure now what's going to happen on the next scan. Probably have to create an exception, which sucks.
I have it at the end of my allowed ciphers, but until this other site upgrades the mail product so that it supports TLS1.2 or better ciphers, I guess I'm stuck having 3DES for now.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...