PDF(165.1 KB) View with Adobe Reader on a variety of devices
ePub(182.3 KB) View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
Mobi (Kindle)(146.3 KB) View on Kindle device or Kindle app on multiple devices
Updated:April 1, 2020
The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
This document describes how to enable Transport Layer Security version 1.0 (TLSv1.0) on the Cisco Email Security Appliance (ESA) and Cisco Cloud Email Security (CES) allocations.
How can you enable TLSv1.0 on the Cisco ESA and CES?
Note: Cisco CES allocations provisioned have TLSv1.0 disabled by default as per security requirements due to vulnerability impacts on the TLSv1.0 protocol. This includes the cipher string to remove all usage of the SSLv3 shared cipher suite.
Caution: The SSL/TLS methods and ciphers are set based on the specific security policies and preferences of your company. For third-party information in regards to ciphers, refer to the Security/Server Side TLS Mozilla document for recommended server configurations and detailed information.
In order to enable TLSv1.0 on your Cisco ESA or CES, you can do so from the Graphical User Interface (GUI) or Command Line Interface (CLI).
Choose the operation you want to perform: - GUI - Edit GUI HTTPS ssl settings. - INBOUND - Edit Inbound SMTP ssl settings. - OUTBOUND - Edit Outbound SMTP ssl settings. - VERIFY - Verify and show ssl cipher list. - CLUSTERSET - Set how ssl settings are configured in a cluster. - CLUSTERSHOW - Display how ssl settings are configured in a cluster. > INBOUND
Enter the inbound SMTP ssl method you want to use. 1. TLS v1.0 2. TLS v1.1 3. TLS v1.2 4. SSL v2 5. SSL v3 > 1-3
Enter the inbound SMTP ssl cipher you want to use. [RC4-SHA:RC4-MD5:ALL:-aNULL:-EXPORT]>
ESAs and CES allocations can be configured with strict cipher suites, it is important to ensure SSLv3 ciphers are not blocked when you enable the TLSv1.0 protocol. Failure to allow the SSLv3 cipher suites result in TLS negotiation failures or abrupt TLS connection closures.
This cipher string stops the ESA/CES from allowing negotiation on SSLv3 ciphers as indicated on !SSLv3:, this means when the protocol is requested in the handshake, the SSL handshake fails as there are no shared ciphers available for negotiation.
In order to ensure the sample cipher string functions with TLSv1.0, it needs to be modified to remove !SSLv3:!TLSv1: seen in the replaced cipher string: