Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

Just an update.  We had to

Just an update.  We had to add back in :DES on our Outbound SMTP.  Had a mail server that we could not sent to and they wouldn't check their ciphers.  What security cipher impact will I have by allowing DES again.

Thanks,

Doug

Community Member

I've had 4 external companies

I've had 4 external companies I've had to work with now due to "no shared cipher" problems.  Most all of them were running Exchange 2007 on Server 2003.  

Having them run this patch will enable them to handshake using AES128-SHA or AES256-SHA

https://support.microsoft.com/en-us/kb/948963

I'm seeing the following when they send to my Gmail account:

version=TLS1 cipher=DES-CBC3-SHA bits=112/168
Community Member

I'll give that a shot.  Not

I'll give that a shot.  Not sure of what the other system is running.  The person I'm dealing with is "hell bent" on it's a Cisco problem not be able to "train down" from TLS1.2 to TLSv1.  Tried to explain many times that it was a cipher problem, but got the typical "My system, my rule" game.

Community Member

Normally what I've been doing

Normally what I've been doing is grepping the ip address and then doing a grep on the icid and it will show a "no shared cipher" error.  I take a sceenshot and email it to them.  Most of the time that works.

Community Member

The error that I was seeing

The error that I was seeing in my logs was "Network Error".  As soon as I put in 3DES in my ciphers, I was able to send TLS to them.  I don't want to have 3DES in the cipher as the one that I was using was very secure.  Just trying to find out the impact of have 3DES on.

Community Member

I did see those errors as

I did see those errors as well but also saw the "no shared cipher" error.  I'm a cipher newb and don't know much about all this stuff.  Still learning.

SSLLabs has a document and it states:

3DES provides about 112 bits of security. This is below the recommended minimum of 128 bits, but it’s still strong enough. A bigger practical problem is that 3DES is much slower than the alternatives. Thus, we don’t recommend it for performance reasons, but it can be kept at the end of the cipher list for interoperability with very old clients.

Highlighted
Community Member

Thanks for the info.  No

Thanks for the info.  No expert on ciphers either.  I know that I was able to pass our PCI testing with the ciphers that I posted here.  Not sure now what's going to happen on the next scan.  Probably have to create an exception, which sucks.

I have it at the end of my allowed ciphers, but until this other site upgrades the mail product so that it supports TLS1.2 or better ciphers, I guess I'm stuck having 3DES for now.

1883
Views
0
Helpful
21
Replies
CreatePlease to create content