Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6798
Views
0
Helpful
7
Replies

(ICID 4423790) TLS failed. Reason: (336151575, 'error:14094417:SSL routines:SSL3_READ_BYTES:sslv3 alert illegal parameter').

Jason Meyer
Level 1
Level 1

‎07-25-2013 06:32 AM

I am getting this error in the mail_logs on just a few incoming connections...   After this error the connection is lost and the sending SMTP server is unable to send e-mail to us.

Any idea what this is and how I correct it?

I am running two clustered C670s on 8.0.0-671 and I have most incoming connections set to prefer TLS, not require.

I am still digging up the details...

2 people had this problem
Labels:
0 Helpful
7 Replies 7

Stephan Bayer
Cisco Employee
Cisco Employee

‎07-25-2013 07:01 AM

Hi Jason,

This is an issue in AsyncOS 8.0 that can be fixed via the following process. We are simply specifying which encryption cipher to use.

tarheel.rtp> sslconfig

sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  sslv3tlsv1
  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]>

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256

sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  sslv3tlsv1
  Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit Inbound SMTP ssl settings.
- OUTBOUND - Edit Outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>

tarheel.rtp> commit

0 Helpful

Jason Meyer
Level 1
Level 1
In response to Stephan Bayer

‎07-25-2013 08:19 AM

I've made this change and the TLS connections that were failing are now succeeding.   Thank you.

Can you expand further on what this change is doing?

Prior to the change TLS connections using DHE-RSA-AES256-SHA were succeeding and that's what this server is using.

Also, we are not running in FIPS mode as of yet but will be attempting to enable it soon, I see in the documentation where if FIPS is enabled I can no longer modify sslconfig settings...   Will manually changing this impact my ability to enable FIPS mode?

Thanks again.

0 Helpful

Stephan Bayer
Cisco Employee
Cisco Employee
In response to Jason Meyer

‎07-25-2013 08:59 AM

Hi Jason,

his config is used to prevent null and anonymous ciphers from  negotiating  .  You can apply this to the outbound or inbound cipher  list.  However, the  workaround  for this issue  can be accomplished by  simply denying these  two specific  ciphers.

DHE-RSA-AES256-SHA256

DHE-RSA-AES128-SHA256

If you also want to block null and anonymous ciphers and stick with ciphers above 128 bits , you can use this format.

"MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"

If you just want to prevent the problem,  you can define it like this:

"RC4-SHA:RC4-MD5:ALL:!DHE-RSA-AES256-SHA256:!DHE-RSA-AES128-SHA256"

As you can see, its the default list RC4-SHA:RC4-MD5:ALL:, minus  the two troublesome ciphers DHE-RSA-AES256-SHA256 DHE-RSA-AES128-SHA256


Best regards,

Stephan

0 Helpful

Ken Stieers
VIP
VIP
In response to Stephan Bayer

‎07-25-2013 09:10 AM

Hey Stephan,

Is that cipher list and format from OpenSSL, following this doc?  http://www.openssl.org/docs/apps/ciphers.html

If that is OpenSSL, do you know what version of OpenSSL AsyncOS for ESA 8.0 is using? 

Ken

0 Helpful

Stephan Bayer
Cisco Employee
Cisco Employee
In response to Ken Stieers

‎07-29-2013 03:03 PM

Hi Ken,

OpenSSL> version

CiscoSSL.0.9.8r.2.2

OpenSSL>

Hope this helps.

Regards,

Stephan

0 Helpful

Gregory Barton
Level 1
Level 1
In response to Stephan Bayer

‎11-12-2013 10:16 AM

This fixed an issue with others sending to me and getting 554 Certificate rejected over TLS. (wrong cipher returned).

0 Helpful

Stephan Bayer
Cisco Employee
Cisco Employee
In response to Gregory Barton

‎11-13-2013 10:38 AM

Greg,

Glad to hear it helped - we always appreciate the feedback.

Stephan

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents