SMTP TLS Cipherstring Mappings in release 8.3

03/26/2020 1041 8772

DESCRIPTION:

Article Applies To:

SonicWall Email Security Appliances: 3300, 4300, 8300.
Firmware/Software Version: 8.3

In version 8.3, the Web UI allows the administrator to select one of three levels of SMTP encryption strength:

Strong: American AES (128 bits or higher) and Japanese Camellia (128 bits or higher). This setting is not the default since it will not inter-operate with Exchange 2003. This is the recommended setting when mandatory TLS is enabled on the same path.
Normal: In addition to the strong ciphers, supports the American Triple-DES (3DES) and South Korean SEED (128 bits) ciphers. This is the recommended setting for public-facing paths that must interoperate with older SMTP servers.
Weak: In addition to all strong and medium ciphers, the American RC4 (128 bits) cipher is supported, and Discrete Logarithm Ephemeral Diffie-Hellman (EDH) key exchange is supported when the proxy is acting as a client. In addition, the MD5 hash is allowed in the HMAC. This setting should only be used when the only alternative is clear text.

The OpenSSL Cipherstring selectors are:

Weak	`ALL:!LOW:!EXPORT:!aNULL:!eNULL:@STRENGTH`
Normal	`HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!EDH:@STRENGTH`
Strong	`HIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH`

To display the actual ciphers, shell into an appliance and use the openssl ciphers command with one of the above strings. For example, to list all the strong ciphers:

# openssl ciphers -v 'HIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH'

RESOLUTION:

In release 8.3, the complete set of ciphers are:

OpenSSL Cipherstring Name	TLS	Key Exchange	Authenticator	Cipher	HMAC	PFS?
Strong
ECDHE-RSA-AES256-GCM-SHA384	TLSv1.2	ECDH	RSA	AESGCM(256)	AEAD	Yes
ECDHE-ECDSA-AES256-GCM-SHA384	TLSv1.2	ECDH	ECDSA	AESGCM(256)	AEAD	Yes
ECDHE-RSA-AES256-SHA384	TLSv1.2	ECDH	RSA	AES(256)	SHA384	Yes
ECDHE-ECDSA-AES256-SHA384	TLSv1.2	ECDH	ECDSA	AES(256)	SHA384	Yes
ECDHE-RSA-AES256-SHA	SSLv3	ECDH	RSA	AES(256)	SHA1	Yes
ECDHE-ECDSA-AES256-SHA	SSLv3	ECDH	ECDSA	AES(256)	SHA1	Yes
ECDH-RSA-AES256-GCM-SHA384	TLSv1.2	ECDH/RSA	ECDH	AESGCM(256)	AEAD
ECDH-ECDSA-AES256-GCM-SHA384	TLSv1.2	ECDH/ECDSA	ECDH	AESGCM(256)	AEAD
ECDH-RSA-AES256-SHA384	TLSv1.2	ECDH/RSA	ECDH	AES(256)	SHA384
ECDH-ECDSA-AES256-SHA384	TLSv1.2	ECDH/ECDSA	ECDH	AES(256)	SHA384
ECDH-RSA-AES256-SHA	SSLv3	ECDH/RSA	ECDH	AES(256)	SHA1
ECDH-ECDSA-AES256-SHA	SSLv3	ECDH/ECDSA	ECDH	AES(256)	SHA1
AES256-GCM-SHA384	TLSv1.2	RSA	RSA	AESGCM(256)	AEAD
AES256-SHA256	TLSv1.2	RSA	RSA	AES(256)	SHA256
AES256-SHA	SSLv3	RSA	RSA	AES(256)	SHA1
CAMELLIA256-SHA	SSLv3	RSA	RSA	Camellia(256)	SHA1
ECDHE-RSA-AES128-GCM-SHA256	TLSv1.2	ECDH	RSA	AESGCM(128)	AEAD	Yes
ECDHE-ECDSA-AES128-GCM-SHA256	TLSv1.2	ECDH	ECDSA	AESGCM(128)	AEAD	Yes
ECDHE-RSA-AES128-SHA256	TLSv1.2	ECDH	RSA	AES(128)	SHA256	Yes
ECDHE-ECDSA-AES128-SHA256	TLSv1.2	ECDH	ECDSA	AES(128)	SHA256	Yes
ECDHE-RSA-AES128-SHA	SSLv3	ECDH	RSA	AES(128)	SHA1	Yes
ECDHE-ECDSA-AES128-SHA	SSLv3	ECDH	ECDSA	AES(128)	SHA1	Yes
ECDH-RSA-AES128-GCM-SHA256	TLSv1.2	ECDH/RSA	ECDH	AESGCM(128)	AEAD
ECDH-ECDSA-AES128-GCM-SHA256	TLSv1.2	ECDH/ECDSA	ECDH	AESGCM(128)	AEAD
ECDH-RSA-AES128-SHA256	TLSv1.2	ECDH/RSA	ECDH	AES(128)	SHA256
ECDH-ECDSA-AES128-SHA256	TLSv1.2	ECDH/ECDSA	ECDH	AES(128)	SHA256
ECDH-RSA-AES128-SHA	SSLv3	ECDH/RSA	ECDH	AES(128)	SHA1
ECDH-ECDSA-AES128-SHA	SSLv3	ECDH/ECDSA	ECDH	AES(128)	SHA1
AES128-GCM-SHA256	TLSv1.2	RSA	RSA	AESGCM(128)	AEAD
AES128-SHA256	TLSv1.2	RSA	RSA	AES(128)	SHA256
AES128-SHA	SSLv3	RSA	RSA	AES(128)	SHA1
CAMELLIA128-SHA	SSLv3	RSA	RSA	Camellia(128)	SHA1
Normal
SEED-SHA	SSLv3	RSA	RSA	SEED(128)	SHA1
ECDHE-RSA-DES-CBC3-SHA	SSLv3	ECDH	RSA	3DES(168)	SHA1	Yes
ECDHE-ECDSA-DES-CBC3-SHA	SSLv3	ECDH	ECDSA	3DES(168)	SHA1	Yes
ECDH-RSA-DES-CBC3-SHA	SSLv3	ECDH/RSA	ECDH	3DES(168)	SHA1
ECDH-ECDSA-DES-CBC3-SHA	SSLv3	ECDH/ECDSA	ECDH	3DES(168)	SHA1
DES-CBC3-SHA	SSLv3	RSA	RSA	3DES(168)	SHA1
Weak
DHE-DSS-AES256-GCM-SHA384	TLSv1.2	DH	DSS	AESGCM(256)	AEAD	Yes
DHE-RSA-AES256-GCM-SHA384	TLSv1.2	DH	RSA	AESGCM(256)	AEAD	Yes
DHE-RSA-AES256-SHA256	TLSv1.2	DH	RSA	AES(256)	SHA256	Yes
DHE-DSS-AES256-SHA256	TLSv1.2	DH	DSS	AES(256)	SHA256	Yes
DHE-RSA-AES256-SHA	SSLv3	DH	RSA	AES(256)	SHA1	Yes
DHE-DSS-AES256-SHA	SSLv3	DH	DSS	AES(256)	SHA1	Yes
DHE-RSA-CAMELLIA256-SHA	SSLv3	DH	RSA	Camellia(256)	SHA1	Yes
DHE-DSS-CAMELLIA256-SHA	SSLv3	DH	DSS	Camellia(256)	SHA1	Yes
DHE-DSS-AES128-GCM-SHA256	TLSv1.2	DH	DSS	AESGCM(128)	AEAD	Yes
DHE-RSA-AES128-GCM-SHA256	TLSv1.2	DH	RSA	AESGCM(128)	AEAD	Yes
DHE-RSA-AES128-SHA256	TLSv1.2	DH	RSA	AES(128)	SHA256	Yes
DHE-DSS-AES128-SHA256	TLSv1.2	DH	DSS	AES(128)	SHA256	Yes
DHE-RSA-AES128-SHA	SSLv3	DH	RSA	AES(128)	SHA1	Yes
DHE-DSS-AES128-SHA	SSLv3	DH	DSS	AES(128)	SHA1	Yes
DHE-RSA-SEED-SHA	SSLv3	DH	RSA	SEED(128)	SHA1	Yes
DHE-DSS-SEED-SHA	SSLv3	DH	DSS	SEED(128)	SHA1	Yes
DHE-RSA-CAMELLIA128-SHA	SSLv3	DH	RSA	Camellia(128)	SHA1	Yes
DHE-DSS-CAMELLIA128-SHA	SSLv3	DH	DSS	Camellia(128)	SHA1	Yes
ECDHE-RSA-RC4-SHA	SSLv3	ECDH	RSA	RC4(128)	SHA1	Yes
ECDHE-ECDSA-RC4-SHA	SSLv3	ECDH	ECDSA	RC4(128)	SHA1	Yes
ECDH-RSA-RC4-SHA	SSLv3	ECDH/RSA	ECDH	RC4(128)	SHA1
ECDH-ECDSA-RC4-SHA	SSLv3	ECDH/ECDSA	ECDH	RC4(128)	SHA1
RC4-SHA	SSLv3	RSA	RSA	RC4(128)	SHA1
RC4-MD5	SSLv3	RSA	RSA	RC4(128)	MD5
EDH-RSA-DES-CBC3-SHA	SSLv3	DH	RSA	3DES(168)	SHA1
EDH-DSS-DES-CBC3-SHA	SSLv3	DH	DSS	3DES(168)	SHA1

Notes:

TLS v1.2 Galois/Counter Mode (GCM), Authenticated Encryption with Associated Data (AEAD), and SHA-2 hashes are only available when the client uses TLS v1.2. All TLS v1 ciphers are available when the client uses TLS v1.2, except for RC4, which is always disabled with TLS v1.1 and above.
The changes from Release 8.2 to 8.3 are:
- All ciphers using less than 128-bit encryption (the former “weak” ciphers) have been removed and are no longer available.
- The RC4 cipher has been moved to “weak” only.
- The DHE authenticator has been moved to “weak” only.
- 3DES is no longer included in the "strong" set; it is included in “normal” and “weak.”

Not Finding Your Answer?

REQUEST NEW ARTICLE

SMTP TLS Cipherstring Mappings in release 8.3

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

About SonicWall

Products

Solutions

Customers

Support

SMTP TLS Cipherstring Mappings in release 8.3

Categories

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Not Finding Your Answer?

About SonicWall

Products

Solutions

Customers

Support