Just an update. We had to add back in :DES on our Outbound SMTP. Had a mail server that we could not sent to and they wouldn't check their ciphers. What security cipher impact will I have by allowing DES again.
I'll give that a shot. Not sure of what the other system is running. The person I'm dealing with is "hell bent" on it's a Cisco problem not be able to "train down" from TLS1.2 to TLSv1. Tried to explain many times that it was a cipher problem, but got the typical "My system, my rule" game.
Normally what I've been doing is grepping the ip address and then doing a grep on the icid and it will show a "no shared cipher" error. I take a sceenshot and email it to them. Most of the time that works.
The error that I was seeing in my logs was "Network Error". As soon as I put in 3DES in my ciphers, I was able to send TLS to them. I don't want to have 3DES in the cipher as the one that I was using was very secure. Just trying to find out the impact of have 3DES on.
I did see those errors as well but also saw the "no shared cipher" error. I'm a cipher newb and don't know much about all this stuff. Still learning.
SSLLabs has a document and it states:
3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients.
Thanks for the info. No expert on ciphers either. I know that I was able to pass our PCI testing with the ciphers that I posted here. Not sure now what's going to happen on the next scan. Probably have to create an exception, which sucks.
I have it at the end of my allowed ciphers, but until this other site upgrades the mail product so that it supports TLS1.2 or better ciphers, I guess I'm stuck having 3DES for now.
DocumentationPrerequisite and code download linksGoalLimitations/RestrictionsTopologyHow OpenDNS worksStep by Step ConfigurationUpgrade the router image to Polaris (16.3) or higher imageUpgrade rommomImport CA certificate to the trust poolGet the t...
DocumentationPrerequisite and code download linksGoalLimitations/RestrictionsTopologyHow OpenDNS worksStep by Step ConfigurationUpgrade the router image to Polaris (16.3) or higher imageUpgrade rommomImport CA certificate to the trust poolGet the token to...
Show Name: ASA/FTD Troubleshooting Enhancements and Cisco Live US 2018
Contributors: Kevin Klous, Jay Johnston, and Magnus Mortensen
Posting Date: June 2018
Description: The team discusses the recently released troubleshooting...