cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Highlighted

SSL Encryption Settings

Jump to solution

Hello,

I have a customer that is experiencing SSL failures to some Policy and PKI servers.  No network errors were evident; all traffic was successfully connecting through all equipment (MWG and MFE).  I found a possible error during SSL negotiation.  Web Gateways are configured to use TLS 1.2 / 1.1 / 1.0 & SSL 3.0; there is also a configuration for alternate handshake that only had SSL 3.0 selected.  I added TLS 1.0 to this configuration and the user reported that he was now able to connect successfully.  The only other difference I noted was in the main SSL encryption settings.  There is an encryption algorithm missing (!kEDH) that was found in the alternate config.  I think the better fix would be to add that algorithm to the primary SSL config, but I don’t understand why the default was configured this way.  Do you see any problem with adding the EDH to the primary SSL config?

Default Certificate Verification.PNG

1 Solution

Accepted Solutions
Highlighted

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

View solution in original post

3 Replies
Highlighted

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

View solution in original post

Highlighted

Re: SSL Encryption Settings

Jump to solution

Very helpful.  Thanks for pointing me into the right direction!

Highlighted

Re: SSL Encryption Settings

Jump to solution

This is nice and helpful comment to share by you.

Thanks.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community