cancel
Showing results for 
Search instead for 
Did you mean: 
wollerd
Level 7

SSL Encryption Settings

Jump to solution

Hello,

I have a customer that is experiencing SSL failures to some Policy and PKI servers.  No network errors were evident; all traffic was successfully connecting through all equipment (MWG and MFE).  I found a possible error during SSL negotiation.  Web Gateways are configured to use TLS 1.2 / 1.1 / 1.0 & SSL 3.0; there is also a configuration for alternate handshake that only had SSL 3.0 selected.  I added TLS 1.0 to this configuration and the user reported that he was now able to connect successfully.  The only other difference I noted was in the main SSL encryption settings.  There is an encryption algorithm missing (!kEDH) that was found in the alternate config.  I think the better fix would be to add that algorithm to the primary SSL config, but I don’t understand why the default was configured this way.  Do you see any problem with adding the EDH to the primary SSL config?

Default Certificate Verification.PNG

1 Solution

Accepted Solutions
otruniger
Level 10

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

3 Replies
otruniger
Level 10

Re: SSL Encryption Settings

Jump to solution

It's the other way arround: the primary config has EDH enabled but the second has it dropped by using the !-sign. The second setting provides weaker settings possibly to overcome old implementations which cannot deal with large cipher lists and new settings. You can check the resulting ciperlist using "openssl ciphers -v 'ALL:!ADH:+RC4:@STRENGTH'".

wollerd
Level 7

Re: SSL Encryption Settings

Jump to solution

Very helpful.  Thanks for pointing me into the right direction!

0 Kudos
mbagheryan
Level 12

Re: SSL Encryption Settings

Jump to solution

This is nice and helpful comment to share by you.

Thanks.

0 Kudos