01-20-2017 06:08 AM
Hi all,
maybe I'm wrong, but I have a question regarding the ssl configuration, which can be made on a ESA.
1. As far as I understood the information from this Technote, PFS on ESA, it is not possible to have ECDHE cipher suites working on the incoming listeners, but for outgoing. This means on the other hand, that TLS encryption between 2 ESAs, will not be capable of using ECDHE for key exchange.
Note: The ESA acting as TLS server (inbound traffic) currently does not support Elliptic Curve Diffie Hellman for Key Exchange (ECDHE) and Elliptic Curve Digital Signature Algorithm (ECDSA) Certificates.
2. This would be ok, if I would have the possibility to use a higher DH group than 2, for DHE cipher suites. In other words, the currently enabled Server Temporary Key Size is 1024 bits, which is considered to be breakable.
Questions:
1. Is there any plan to enable ECDHE for inbound connections in future?
2. Where can I change the DH group?
Regards,
Marijo
Solved! Go to Solution.
01-20-2017 07:58 AM
Hi Marijo,
Both queries are currently being reviewed by the development team as part of the below feature requests.
1.
ENH add support for ECDHE for Inbound SMTP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz60071/?reffering_site=dumpcr
2.
Allow regenerate DH-2048, 4096 bit Diffie Hellman Safe Prime / dhparam
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76085/?reffering_site=dumpcr
Both currently do not have an ETA, however you can add yourself to be notified once there is a fix or further workaround available.
Thanks
Libin Varghese
01-20-2017 07:58 AM
Hi Marijo,
Both queries are currently being reviewed by the development team as part of the below feature requests.
1.
ENH add support for ECDHE for Inbound SMTP
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuz60071/?reffering_site=dumpcr
2.
Allow regenerate DH-2048, 4096 bit Diffie Hellman Safe Prime / dhparam
https://bst.cloudapps.cisco.com/bugsearch/bug/CSCux76085/?reffering_site=dumpcr
Both currently do not have an ETA, however you can add yourself to be notified once there is a fix or further workaround available.
Thanks
Libin Varghese
01-23-2017 02:35 AM
Hi Libin,
thanks for your answer. I've subscribed to the bugs you've mentioned.
Regards,
Marijo
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide