cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1063
Views
0
Helpful
9
Replies

TLS Ciphers used by C670 running 8.5.6-063 in FIPS mode?

Jason Meyer
Level 1
Level 1

Can someone provide me the list of TLS ciphers that a C670 running 8.5.6-063 in FIPS mode supports?

 

I'm getting some:

Wed Jul 16 08:54:00 2014 Info: ICID 66350440 TLS failed: (336151538, 'error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message'

 

errors that I would like to begin troubleshooting.

 

thanks, 

 

Jason

9 Replies 9

rajett
Cisco Employee
Cisco Employee

8.5.6 does not support FIPS. It's only supported on the 7.3.x (using a X1070F appliance) or on the 8.0.2 (using any supported appliance) versions of AsyncOS.

 

Use the sslconfig command to choose ciphers you wish to use.

 

Raymond

My appliances are running version 8.5.6-063 are are in FIPS mode, see below:

(Machine removed)> sslconfig

This command is restricted to "cluster" mode.  Would you like to switch to "cluster" mode? [Y]>

sslconfig settings:
  GUI HTTPS method:  tlsv1
  GUI HTTPS ciphers: FIPS
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: FIPS
  Outbound SMTP method:  tlsv1
  Outbound SMTP ciphers: FIPS:-aNULL

You cannot change server and client methods and cipher suites in the FIPS 140-2 compliance mode.

(Cluster IronPort_Cluster)> version

This command is restricted to "machine" mode.  Would you like to switch to "machine" mode? [Y]>

Choose a machine.
1. removed (group Main_Group)
2. removed (group Main_Group)
[1]>

Current Version
===============
Product: Cisco IronPort C670 Messaging Gateway(tm) Appliance
Model: C670
Version: 8.5.6-063
Build Date: 2014-05-23

 

I'd like to know what TLS ciphers these appliances can negotiate, please.

Please see page 24-2

 

http://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa8-0-2/user_guide/ESA_8-0-2_User_Guide.pdf

 

SSL Ciphers
. Only the following SSL ciphers are supported in FIPS mode:

It states "Only the following SSL ciphers are supported in FIPS mode: AES256-SHA:AES128-SHA:DES-CBC3-SHA"

Thank you for the link, that helps.  However, I am seeing the following TLS ciphers used by my appliance and connections successfully established with the following:

AES128-SHA

DHE-RSA-AES256-SHA

DHE-RSA-AES128-SHA

ADH-AES256-SHA

AES256-SHA

DES-CBC3-SHA

 

Is this correct or do I have a problem?

8.0.2 has the FIPSCHECK command that will verify if you have anything that is non-compliant set up. You could try disabling FIPS, make sure that only the supported ciphers are enabled and then go back to FIPS mode.

If that doesn't work you might need to contact TAC about help with a downrev.

Hmm, FIPSCHECK is an unknown command on 8.5.6.

 

 

I believe you already got an answer back on this with the direct support case that was opened... but just to verify and follow-up on the forums side... without FIPS enabled, you can run sslconfig > verify and get the following output for FIPS:-aNULL

 

[]> FIPS:-aNULL

 

DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1

AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1

DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1

DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1

AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1

EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1

EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1

DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1

-Robert

OK, but doesn't enabling FIPS mode change the TLS ciphers that the appliance uses?

Correct - once you do enable FIPS mode - it changes the ciphers to the FIPS cipher suite --- this is just the verification of that suite.  With FIPS enabled, you cannot run the verify option against it... 

> sslconfig

sslconfig settings:
  GUI HTTPS method:  tlsv1
  GUI HTTPS ciphers: FIPS
  Inbound SMTP method:  tlsv1
  Inbound SMTP ciphers: FIPS
  Outbound SMTP method:  tlsv1
  Outbound SMTP ciphers: FIPS:-aNULL

You cannot change server and client methods and cipher suites in the FIPS 140-2 compliance mode.

So - outside of FIPS mode enabled - that is the string return against the FIPS cipher suite.

-Robert

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: