Guest

Cisco Email Security Appliance

ESA FAQ: How do you prevent negotiations for null or anonymous ciphers?

Document ID: 117864

Updated: Feb 19, 2015

Contributed by Jai Gill and Robert Sherwin, Cisco TAC Engineers.

   Print

Introduction

This document describes how to alter the Cisco Email Security Appliance (ESA) and CIsco Security Management Appliance (SMA) cipher settings in order to prevent negotiations for null or anonymous ciphers.

Prerequisites

Requirements

Cisco recommends that you have knowledge of these topics:

  • Cisco ESA
  • Cisco SMA

Components Used

The information in this document is based on all versions of the Cisco ESA and Cisco SMA.

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.

How do you prevent negotiations for null or anonymous ciphers?

ESA

By default, the ESA Transport Layer Security (TLS) includes Secure Sockets Layer Version 2 (SSLv2) and ciphers below 128 bits. You can modify the ciphers that are used on the ESA with the sslconfig CLI command.

In order to prevent ESA negotiations for null or anonymous ciphers, enter the sslconfig command into the ESA CLI and apply these settings:

  • Inbound SMTP method: sslv3tlsv1
  • Inbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH
  • Outbound SMTP method: sslv3tlsv1
  • Outbound SMTP ciphers: MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

Here is an example configuration for inbound ciphers:

CLI: > sslconfig

sslconfig settings:
  GUI HTTPS method:  sslv3tlsv1
  GUI HTTPS ciphers: RC4-SHA:RC4-MD5:ALL
  Inbound SMTP method:  sslv3tlsv1
  Inbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL
  Outbound SMTP method:  sslv3tlsv1
  Outbound SMTP ciphers: RC4-SHA:RC4-MD5:ALL

Choose the operation you want to perform:
- GUI - Edit GUI HTTPS ssl settings.
- INBOUND - Edit inbound SMTP ssl settings.
- OUTBOUND - Edit outbound SMTP ssl settings.
- VERIFY - Verify and show ssl cipher list.
[]> inbound

Enter the inbound SMTP ssl method you want to use.
1. SSL v2.
2. SSL v3
3. TLS v1
4. SSL v2 and v3
5. SSL v3 and TLS v1
6. SSL v2, v3 and TLS v1
[5]> 3

Enter the inbound SMTP ssl cipher you want to use.
[RC4-SHA:RC4-MD5:ALL]> MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH

Set GUI, INBOUND, OUTBOUND as needed for each cipher.

Tip: SSL Version 3.0 (RFC-6101) is an obsolete and an insecure protocol. There is a vulnerability in SSLv3 CVE-2014-3566  known as Padding Oracle On Downgraded Legacy Encryption (POODLE) attack, Cisco bug ID CSCur27131. The recommendation is to to disable SSLv3 while you change the ciphers and use TLS only, and select option 3 (TLS v1). Review the provided Cisco bug ID CSCur27131 for complete details.

SMA

The sslconfig command is not available for the Cisco SMA, so you must complete these steps from the CLI in order to modify the SSL ciphers:

  1. Save the SMA configuration file to your local computer.

  2. Open the XML file.

  3. Search for the <ssl> section in the XML:

    <ssl>
        <ssl_inbound_method>sslv3tlsv1</ssl_inbound_method>
        <ssl_inbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_inbound_ciphers>
        <ssl_outbound_method>sslv3tlsv1</ssl_outbound_method>
        <ssl_outbound_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_outbound_ciphers>
        <ssl_gui_method>sslv3tlsv1</ssl_gui_method>
        <ssl_gui_ciphers>RC4-SHA:RC4-MD5:ALL</ssl_gui_ciphers>
      </ssl>
  4. Modify the ciphers as desired and save the XML:

    <ssl>
    <ssl_inbound_method>tlsv1</ssl_inbound_method>
    <ssl_inbound_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_inbound_ciphers>
    <ssl_outbound_method>tlsv1</ssl_outbound_method>
    <ssl_outbound_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_outbound_ciphers>
    <ssl_gui_method>tlsv1</ssl_gui_method>
    <ssl_gui_ciphers>MEDIUM:HIGH:-SSLv2:-aNULL:@STRENGTH</ssl_gui_ciphers>
    </ssl>
  5. Load the new configuration file onto the SMA.

  6. Submit and commit all changes.
Updated: Feb 19, 2015
Document ID: 117864