cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

SSL Encryption Settings

Jump to solution

Hello,

I have a customer that is experiencing SSL failures to some Policy and PKI servers.  No network errors were evident; all traffic was successfully connecting through all equipment (MWG and MFE).  I found a possible error during SSL negotiation.  Web Gateways are configured to use TLS 1.2 / 1.1 / 1.0 & SSL 3.0; there is also a configuration for alternate handshake that only had SSL 3.0 selected.  I added TLS 1.0 to this configuration and the user reported that he was now able to connect successfully.  The only other difference I noted was in the main SSL encryption settings.  There is an encryption algorithm missing (!kEDH) that was found in the alternate config.  I think the better fix would be to add that algorithm to the primary SSL config, but I don’t understand why the default was configured this way.  Do you see any problem with adding the EDH to the primary SSL config?

Default Certificate Verification.PNG

1 Solution

Accepted Solutions

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

3 Replies

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

Re: SSL Encryption Settings

Jump to solution

Very helpful.  Thanks for pointing me into the right direction!

Re: SSL Encryption Settings

Jump to solution

This is nice and helpful comment to share by you.

Thanks.

More McAfee Tools to Help You
  • Subscription Service Notification (SNS)
  • How-to: Endpoint Removal Tool
  • Support: Endpoint Security
  • eSupport: Policy Orchestrator