07-25-2013 06:32 AM
I am getting this error in the mail_logs on just a few incoming connections... After this error the connection is lost and the sending SMTP server is unable to send e-mail to us.
Any idea what this is and how I correct it?
I am running two clustered C670s on 8.0.0-671 and I have most incoming connections set to prefer TLS, not require.
I am still digging up the details...
07-25-2013 07:01 AM
Hi Jason,
This is an issue in AsyncOS 8.0 that can be fixed via the following process. We are simply specifying which encryption cipher to use.
tarheel.rtp> sslconfig
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound
Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>
Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
sslconfig settings:
GUI HTTPS method: sslv3tlsv1
GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
Inbound SMTP method: sslv3tlsv1
Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
Outbound SMTP method: sslv3tlsv1
Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>
tarheel.rtp> commit
07-25-2013 08:19 AM
I've made this change and the TLS connections that were failing are now succeeding. Thank you.
Can you expand further on what this change is doing?
Prior to the change TLS connections using DHE-RSA-AES256-SHA were succeeding and that's what this server is using.
Also, we are not running in FIPS mode as of yet but will be attempting to enable it soon, I see in the documentation where if FIPS is enabled I can no longer modify sslconfig settings... Will manually changing this impact my ability to enable FIPS mode?
Thanks again.
07-25-2013 08:59 AM
Hi Jason,
his config is used to prevent null and anonymous ciphers from negotiating . You can apply this to the outbound or inbound cipher list. However, the workaround for this issue can be accomplished by simply denying these two specific ciphers.
DHE-RSA-AES256-SHA256
DHE-RSA-AES128-SHA256
If you also want to block null and anonymous ciphers and stick with ciphers above 128 bits , you can use this format.
"MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"
If you just want to prevent the problem, you can define it like this:
"RC4-SHA:RC4-MD5:ALL:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"
As you can see, its the default list RC4-SHA:RC4-MD5:ALL:, minus the two troublesome ciphers DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256
Best regards,
Stephan
07-25-2013 09:10 AM
Hey Stephan,
Is that cipher list and format from OpenSSL, following this doc? http://www.openssl.org/docs/apps/ciphers.html
If that is OpenSSL, do you know what version of OpenSSL AsyncOS for ESA 8.0 is using?
Ken
07-29-2013 03:03 PM
Hi Ken,
OpenSSL> version
CiscoSSL.0.9.8r.2.2
OpenSSL>
Hope this helps.
Regards,
Stephan
11-12-2013 10:16 AM
This fixed an issue with others sending to me and getting 554 Certificate rejected over TLS. (wrong cipher returned).
11-13-2013 10:38 AM
Greg,
Glad to hear it helped - we always appreciate the feedback.
Stephan
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: