Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

SSL/TLS ciphers of an SMA (M-series) appliance

So SMA does not include sslconfig CLI command. We cannot reonfigure SSL/TLS ciphers as we do for ESA (C-series) appliances. Once I got instructions from TAC support telling, that I must download config file from SMA, edit those cipher parameters manually and then upload it back to the appliance. Is this still the only way to do it with SMA 8.1.1, 8.30 and 8.3.5?

If we download the config file and do the changes, can we use sslconfig CLI command and there VERIFY subcommand of an ESA appliance to verify that a planned cipher set would surely work in a SMA appliance? I think I might be interested in cipher set

MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

 

Is the proper parameter to be changed named ssl_gui_ciphers? Does it cover only the management web GUI or also spam quarantine web GUI? Not interested in STARTTLS SMTP ciphers at this point. As s default, those SSL ciphers are set as:

 

  <ssl>
    <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
    <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
    <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
    <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
    <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
    <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
  </ssl>

 

After fixing a locally downloaded config file and loading it back to SMA, will the config file load require a reboot? Are our safelists/blocklists, logs, message tracking, scheduled reports, spam quarantine content safe and we will not lost anything? So all we plan to change in config file, are the cipher settings.

Testing a SMA spam quarantine https service with Qualys Inc. SSL labs test service opened my eyes on this case:

https://www.ssllabs.com/ssltest/analyze.html

 

317
Views
0
Helpful
0
Replies
CreatePlease to create content