I was wondering if anyone else has been seeing TLS errors on incoming email to an ESA on 8.0.0-617? The senders report this error "(Certificate rejected over TLS. (wrong cipher returned))" and in my logs I see this:
This has caused email from critical partners to fail since it is a perm failure.
I tracked the issue down to a cipher mismatch in the TLS implementation. When you view the full list of ciphers that the ESA supports, the first two in the list are only definied in TLS v1.2 (2008). The problem is that the ESA's TLS implementation doesn't include any TLS extensions past v1.0 (2005). In fact, the "Cisco" OpenSSL version is based on 0.9.8. (sigh)
What happens is the ESA advertises TLS v1.0 and then wants to use a cipher from v1.2 so some clients are freaking out because if you take the RFCs literally, this is a mismatch. I have verified that McAfee MTAs are exhibiting this behavior. I did contact TAC but they say no one has raised this issue before and it is not an RFC implementation error because "it doesn't matter what ciphers are used".
Has anyone else seen this error? As far as I can see if there is a mismatch the client will never successfully connect.
The change below has fixed the issue for 8.0.1 customers, please let us know if we can help with anything else.
1. Log into the CLI of the ESA and issue the 'sslconfig' command:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers:
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
2. When prompted for the operation to perform enter 'INBOUND'
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
3. When prompted for inbound SMTP ssl method to use enter '5'
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
4. When prompted for the ssl cipher you want to use paste in the following
Enter the inbound SMTP ssl cipher you want to use.
5. Press Enter to return to main menu
6. Repeat steps 1-5 and at step 2 specify OUTBOUND to apply the same settings to your outbound ciphers
7. Type commit to commit changes
I also see this error in TLS negotiations. My C670s are currenting running in FIPS mode and I offer STARTTLS to most external SMTP servers. In a small percentage of connections the external SMTP server is able to do TLS but not any that are FIPS approved, most of the connections can then negotiate a plain text connection but some cannot and give errors very similar to the ones you listed. My only course of action is to get the external SMTP server admins to add a TLS cipher that the C670s will allow in FIPS mode:
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :