SMTP TLS Cipherstring Mappings in release 8.3

Description

Article Applies To:

SonicWall Email Security Appliances: 3300, 4300, 8300.
Firmware/Software Version: 8.3

In version 8.3, the Web UI allows the administrator to select one of three levels of SMTP encryption strength:

Image

  • Strong: American AES (128 bits or higher) and Japanese Camellia (128 bits or higher). This setting is not the default since it will not inter-operate with Exchange 2003. This is the recommended setting when mandatory TLS is enabled on the same path.
  • Normal: In addition to the strong ciphers, supports the American Triple-DES (3DES) and South Korean SEED (128 bits) ciphers. This is the recommended setting for public-facing paths that must interoperate with older SMTP servers.
  • Weak: In addition to all strong and medium ciphers, the American RC4 (128 bits) cipher is supported, and Discrete Logarithm Ephemeral Diffie-Hellman (EDH) key exchange is supported when the proxy is acting as a client. In addition, the MD5 hash is allowed in the HMAC. This setting should only be used when the only alternative is clear text.

The OpenSSL Cipherstring selectors are:

 

WeakALL:!LOW:!EXPORT:!aNULL:!eNULL:@STRENGTH
NormalHIGH:MEDIUM:!aNULL:!eNULL:!RC4:!EDH:@STRENGTH
StrongHIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH


To display the actual ciphers, shell into an appliance and use the openssl ciphers command with one of the above strings. For example, to list all the strong ciphers:

# openssl ciphers -v 'HIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH'

Resolution

In release 8.3, the complete set of ciphers are:

OpenSSL Cipherstring Name

TLS

Key Exchange

Authenticator

Cipher

HMAC

PFS?

Strong

ECDHE-RSA-AES256-GCM-SHA384

TLSv1.2

ECDH

RSA

AESGCM(256)

AEAD

Yes

ECDHE-ECDSA-AES256-GCM-SHA384

TLSv1.2

ECDH

ECDSA

AESGCM(256)

AEAD

Yes

ECDHE-RSA-AES256-SHA384

TLSv1.2

ECDH

RSA

AES(256)

SHA384

Yes

ECDHE-ECDSA-AES256-SHA384

TLSv1.2

ECDH

ECDSA

AES(256)

SHA384

Yes

ECDHE-RSA-AES256-SHA

SSLv3

ECDH

RSA

AES(256)

SHA1

Yes

ECDHE-ECDSA-AES256-SHA

SSLv3

ECDH

ECDSA

AES(256)

SHA1

Yes

ECDH-RSA-AES256-GCM-SHA384

TLSv1.2

ECDH/RSA

ECDH

AESGCM(256)

AEAD

ECDH-ECDSA-AES256-GCM-SHA384

TLSv1.2

ECDH/ECDSA

ECDH

AESGCM(256)

AEAD

ECDH-RSA-AES256-SHA384

TLSv1.2

ECDH/RSA

ECDH

AES(256)

SHA384

ECDH-ECDSA-AES256-SHA384

TLSv1.2

ECDH/ECDSA

ECDH

AES(256)

SHA384

ECDH-RSA-AES256-SHA

SSLv3

ECDH/RSA

ECDH

AES(256)

SHA1

ECDH-ECDSA-AES256-SHA

SSLv3

ECDH/ECDSA

ECDH

AES(256)

SHA1

AES256-GCM-SHA384

TLSv1.2

RSA

RSA

AESGCM(256)

AEAD

AES256-SHA256

TLSv1.2

RSA

RSA

AES(256)

SHA256

AES256-SHA

SSLv3

RSA

RSA

AES(256)

SHA1

CAMELLIA256-SHA

SSLv3

RSA

RSA

Camellia(256)

SHA1

ECDHE-RSA-AES128-GCM-SHA256

TLSv1.2

ECDH

RSA

AESGCM(128)

AEAD

Yes

ECDHE-ECDSA-AES128-GCM-SHA256

TLSv1.2

ECDH

ECDSA

AESGCM(128)

AEAD

Yes

ECDHE-RSA-AES128-SHA256

TLSv1.2

ECDH

RSA

AES(128)

SHA256

Yes

ECDHE-ECDSA-AES128-SHA256

TLSv1.2

ECDH

ECDSA

AES(128)

SHA256

Yes

ECDHE-RSA-AES128-SHA

SSLv3

ECDH

RSA

AES(128)

SHA1

Yes

ECDHE-ECDSA-AES128-SHA

SSLv3

ECDH

ECDSA

AES(128)

SHA1

Yes

ECDH-RSA-AES128-GCM-SHA256

TLSv1.2

ECDH/RSA

ECDH

AESGCM(128)

AEAD

ECDH-ECDSA-AES128-GCM-SHA256

TLSv1.2

ECDH/ECDSA

ECDH

AESGCM(128)

AEAD

ECDH-RSA-AES128-SHA256

TLSv1.2

ECDH/RSA

ECDH

AES(128)

SHA256

ECDH-ECDSA-AES128-SHA256

TLSv1.2

ECDH/ECDSA

ECDH

AES(128)

SHA256

ECDH-RSA-AES128-SHA

SSLv3

ECDH/RSA

ECDH

AES(128)

SHA1

ECDH-ECDSA-AES128-SHA

SSLv3

ECDH/ECDSA

ECDH

AES(128)

SHA1

AES128-GCM-SHA256

TLSv1.2

RSA

RSA

AESGCM(128)

AEAD

AES128-SHA256

TLSv1.2

RSA

RSA

AES(128)

SHA256

AES128-SHA

SSLv3

RSA

RSA

AES(128)

SHA1

CAMELLIA128-SHA

SSLv3

RSA

RSA

Camellia(128)

SHA1

Normal

SEED-SHA

SSLv3

RSA

RSA

SEED(128)

SHA1

ECDHE-RSA-DES-CBC3-SHA

SSLv3

ECDH

RSA

3DES(168)

SHA1

Yes

ECDHE-ECDSA-DES-CBC3-SHA

SSLv3

ECDH

ECDSA

3DES(168)

SHA1

Yes

ECDH-RSA-DES-CBC3-SHA

SSLv3

ECDH/RSA

ECDH

3DES(168)

SHA1

ECDH-ECDSA-DES-CBC3-SHA

SSLv3

ECDH/ECDSA

ECDH

3DES(168)

SHA1

DES-CBC3-SHA

SSLv3

RSA

RSA

3DES(168)

SHA1

Weak

DHE-DSS-AES256-GCM-SHA384

TLSv1.2

DH

DSS

AESGCM(256)

AEAD

Yes

DHE-RSA-AES256-GCM-SHA384

TLSv1.2

DH

RSA

AESGCM(256)

AEAD

Yes

DHE-RSA-AES256-SHA256

TLSv1.2

DH

RSA

AES(256)

SHA256

Yes

DHE-DSS-AES256-SHA256

TLSv1.2

DH

DSS

AES(256)

SHA256

Yes

DHE-RSA-AES256-SHA

SSLv3

DH

RSA

AES(256)

SHA1

Yes

DHE-DSS-AES256-SHA

SSLv3

DH

DSS

AES(256)

SHA1

Yes

DHE-RSA-CAMELLIA256-SHA

SSLv3

DH

RSA

Camellia(256)

SHA1

Yes

DHE-DSS-CAMELLIA256-SHA

SSLv3

DH

DSS

Camellia(256)

SHA1

Yes

DHE-DSS-AES128-GCM-SHA256

TLSv1.2

DH

DSS

AESGCM(128)

AEAD

Yes

DHE-RSA-AES128-GCM-SHA256

TLSv1.2

DH

RSA

AESGCM(128)

AEAD

Yes

DHE-RSA-AES128-SHA256

TLSv1.2

DH

RSA

AES(128)

SHA256

Yes

DHE-DSS-AES128-SHA256

TLSv1.2

DH

DSS

AES(128)

SHA256

Yes

DHE-RSA-AES128-SHA

SSLv3

DH

RSA

AES(128)

SHA1

Yes

DHE-DSS-AES128-SHA

SSLv3

DH

DSS

AES(128)

SHA1

Yes

DHE-RSA-SEED-SHA

SSLv3

DH

RSA

SEED(128)

SHA1

Yes

DHE-DSS-SEED-SHA

SSLv3

DH

DSS

SEED(128)

SHA1

Yes

DHE-RSA-CAMELLIA128-SHA

SSLv3

DH

RSA

Camellia(128)

SHA1

Yes

DHE-DSS-CAMELLIA128-SHA

SSLv3

DH

DSS

Camellia(128)

SHA1

Yes

ECDHE-RSA-RC4-SHA

SSLv3

ECDH

RSA

RC4(128)

SHA1

Yes

ECDHE-ECDSA-RC4-SHA

SSLv3

ECDH

ECDSA

RC4(128)

SHA1

Yes

ECDH-RSA-RC4-SHA

SSLv3

ECDH/RSA

ECDH

RC4(128)

SHA1

ECDH-ECDSA-RC4-SHA

SSLv3

ECDH/ECDSA

ECDH

RC4(128)

SHA1

RC4-SHA

SSLv3

RSA

RSA

RC4(128)

SHA1

RC4-MD5

SSLv3

RSA

RSA

RC4(128)

MD5

EDH-RSA-DES-CBC3-SHA

SSLv3

DH

RSA

3DES(168)

SHA1

EDH-DSS-DES-CBC3-SHA

SSLv3

DH

DSS

3DES(168)

SHA1



Notes:

  • TLS v1.2 Galois/Counter Mode (GCM), Authenticated Encryption with Associated Data (AEAD), and SHA-2 hashes are only available when the client uses TLS v1.2. All TLS v1 ciphers are available when the client uses TLS v1.2, except for RC4, which is always disabled with TLS v1.1 and above.
  • The changes from Release 8.2 to 8.3 are:
    • All ciphers using less than 128-bit encryption (the former “weak” ciphers) have been removed and are no longer available.
    • The RC4 cipher has been moved to “weak” only.
    • The DHE authenticator has been moved to “weak” only.
    • 3DES is no longer included in the "strong" set; it is included in “normal” and “weak.”

Related Articles

  • Invalid SFP Connected warning on SonicWall firewall when using supported 10G SFP+ Module
    Read More
  • How to exclude the domain from DHA scanning?
    Read More
  • Email Security: How to download the Outlook Junk Tool?
    Read More

Categories

Email Security
Email Security Appliance
Email Security
Email Security Software
Email Security
Hosted Email Security
not finding your answers?
Ask the Community