This document describes how to enable Transport Layer Security version 1.0 (TLSv1.0) on the Cisco Email Security Appliance (ESA) and Cisco Cloud Email Security (CES) allocations.
How can you enable TLSv1.0 on the Cisco ESA and CES?
Note: Cisco CES allocations provisioned have TLSv1.0 disabled by default as per security requirements due to vulnerability impacts on the TLSv1.0 protocol. This includes the cipher string to remove all usage of the SSLv3 shared cipher suite.
Caution: The SSL/TLS methods and ciphers are set based on the specific security policies and preferences of your company. For third-party information in regards to ciphers, refer to the Security/Server Side TLS Mozilla document for recommended server configurations and detailed information.
In order to enable TLSv1.0 on your Cisco ESA or CES, you can do so from the Graphical User Interface (GUI) or Command Line Interface (CLI).
Choose the operation you want to perform: - GUI - Edit GUI HTTPS ssl settings. - INBOUND - Edit Inbound SMTP ssl settings. - OUTBOUND - Edit Outbound SMTP ssl settings. - VERIFY - Verify and show ssl cipher list. - CLUSTERSET - Set how ssl settings are configured in a cluster. - CLUSTERSHOW - Display how ssl settings are configured in a cluster. > INBOUND
Enter the inbound SMTP ssl method you want to use. 1. TLS v1.0 2. TLS v1.1 3. TLS v1.2 4. SSL v2 5. SSL v3 > 1-3
Enter the inbound SMTP ssl cipher you want to use. [RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT]>
ESAs and CES allocations can be configured with strict cipher suites, it is important to ensure SSLv3 ciphers are not blocked when you enable the TLSv1.0 protocol. Failure to allow the SSLv3 cipher suites result in TLS negotiation failures or abrupt TLS connection closures.
This cipher string stops the ESA/CES from allowing negotiation on SSLv3 ciphers as indicated on !SSLv3:, this means when the protocol is requested in the handshake, the SSL handshake fails as there are no shared ciphers available for negotiation.
In order to ensure the sample cipher string functions with TLSv1.0, it needs to be modified to remove !SSLv3:!TLSv1: seen in the replaced cipher string: