Guest

Cisco Email Security Appliance

ESA FAQ: How can you alter the ciphers that are used with SSL or TLS?

Document ID: 117855

Updated: Jun 26, 2014

Contributed by James Noad and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to alter the ciphers that are used with Secure Socket Layer (SSL) or Transport Layer Security (TLS) on the Cisco Email Security Appliance (ESA).

How can you alter the ciphers that are used with SSL or TLS?

With AsyncOS, you can configure the SSL or TLS protocols and ciphers that are advertised for inbound and requested for outbound connections with the sslconfig command:

example.com (SERVICE)> sslconfig

sslconfig settings:
  inbound SMTP method:  sslv2sslv3tlsv1
  inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  outbound SMTP method:  sslv2sslv3tlsv1
  outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[6]> 5

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]>

sslconfig settings:
  inbound SMTP method:  sslv3tlsv1
  inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  outbound SMTP method:  sslv2sslv3tlsv1
  outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]>

By default, the ESA allows three protocols: sslv2, sslv3, and tlsv1. Some users disable the sslv2 protocol because it has some vulnerabilities. In order to establish a TLS connection, both sides must have at least one enabled protocol that matches and at least one enabled cipher that matches.

When you view the cipher list from the previous example, it is important to understand the reason that it shows two ciphers followed by the word ALL. Although ALL includes the two ciphers that precede it, the order of the ciphers in the cipher list determines the preference. Thus, when a TLS connection is made, the client picks the first cipher that both sides support based on the order of appearance in the list.

By manipulating the list and its order you can influence which cipher gets chosen. In addition to listing specific ciphers or groups, you can also reorder them by strength by including @STRENGTH in the cipher string.

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH 

Tip: Cisco recommends that you use RC4-SHA:RC4-MD5 because they are faster than many of the other ciphers that are included in the list.

Updated: Jun 26, 2014
Document ID: 117855