- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
SMTP TLS Cipherstring Mappings in release 8.3
03/26/2020 
1,041 People found this article helpful
97,064 Views
Description
Article Applies To:
SonicWall Email Security Appliances: 3300, 4300, 8300.
Firmware/Software Version: 8.3
In version 8.3, the Web UI allows the administrator to select one of three levels of SMTP encryption strength:
- Strong: American AES (128 bits or higher) and Japanese Camellia (128 bits or higher). This setting is not the default since it will not inter-operate with Exchange 2003. This is the recommended setting when mandatory TLS is enabled on the same path.
- Normal: In addition to the strong ciphers, supports the American Triple-DES (3DES) and South Korean SEED (128 bits) ciphers. This is the recommended setting for public-facing paths that must interoperate with older SMTP servers.
- Weak: In addition to all strong and medium ciphers, the American RC4 (128 bits) cipher is supported, and Discrete Logarithm Ephemeral Diffie-Hellman (EDH) key exchange is supported when the proxy is acting as a client. In addition, the MD5 hash is allowed in the HMAC. This setting should only be used when the only alternative is clear text.
The OpenSSL Cipherstring selectors are:
| Weak | ALL:!LOW:!EXPORT:!aNULL:!eNULL:@STRENGTH |
| Normal | HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!EDH:@STRENGTH |
| Strong | HIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH |
To display the actual ciphers, shell into an appliance and use the openssl ciphers command with one of the above strings. For example, to list all the strong ciphers:
# openssl ciphers -v 'HIGH:!MD5:!3DES:!aNULL:!eNULL:!EDH:@STRENGTH'
Resolution
In release 8.3, the complete set of ciphers are:
OpenSSL Cipherstring Name | TLS | Key Exchange | Authenticator | Cipher | HMAC | PFS? |
Strong | ||||||
ECDHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | RSA | AESGCM(256) | AEAD | Yes |
ECDHE-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH | ECDSA | AESGCM(256) | AEAD | Yes |
ECDHE-RSA-AES256-SHA384 | TLSv1.2 | ECDH | RSA | AES(256) | SHA384 | Yes |
ECDHE-ECDSA-AES256-SHA384 | TLSv1.2 | ECDH | ECDSA | AES(256) | SHA384 | Yes |
ECDHE-RSA-AES256-SHA | SSLv3 | ECDH | RSA | AES(256) | SHA1 | Yes |
ECDHE-ECDSA-AES256-SHA | SSLv3 | ECDH | ECDSA | AES(256) | SHA1 | Yes |
ECDH-RSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH/RSA | ECDH | AESGCM(256) | AEAD | |
ECDH-ECDSA-AES256-GCM-SHA384 | TLSv1.2 | ECDH/ECDSA | ECDH | AESGCM(256) | AEAD | |
ECDH-RSA-AES256-SHA384 | TLSv1.2 | ECDH/RSA | ECDH | AES(256) | SHA384 | |
ECDH-ECDSA-AES256-SHA384 | TLSv1.2 | ECDH/ECDSA | ECDH | AES(256) | SHA384 | |
ECDH-RSA-AES256-SHA | SSLv3 | ECDH/RSA | ECDH | AES(256) | SHA1 | |
ECDH-ECDSA-AES256-SHA | SSLv3 | ECDH/ECDSA | ECDH | AES(256) | SHA1 | |
AES256-GCM-SHA384 | TLSv1.2 | RSA | RSA | AESGCM(256) | AEAD | |
AES256-SHA256 | TLSv1.2 | RSA | RSA | AES(256) | SHA256 | |
AES256-SHA | SSLv3 | RSA | RSA | AES(256) | SHA1 | |
CAMELLIA256-SHA | SSLv3 | RSA | RSA | Camellia(256) | SHA1 | |
ECDHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | ECDH | RSA | AESGCM(128) | AEAD | Yes |
ECDHE-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | ECDH | ECDSA | AESGCM(128) | AEAD | Yes |
ECDHE-RSA-AES128-SHA256 | TLSv1.2 | ECDH | RSA | AES(128) | SHA256 | Yes |
ECDHE-ECDSA-AES128-SHA256 | TLSv1.2 | ECDH | ECDSA | AES(128) | SHA256 | Yes |
ECDHE-RSA-AES128-SHA | SSLv3 | ECDH | RSA | AES(128) | SHA1 | Yes |
ECDHE-ECDSA-AES128-SHA | SSLv3 | ECDH | ECDSA | AES(128) | SHA1 | Yes |
ECDH-RSA-AES128-GCM-SHA256 | TLSv1.2 | ECDH/RSA | ECDH | AESGCM(128) | AEAD | |
ECDH-ECDSA-AES128-GCM-SHA256 | TLSv1.2 | ECDH/ECDSA | ECDH | AESGCM(128) | AEAD | |
ECDH-RSA-AES128-SHA256 | TLSv1.2 | ECDH/RSA | ECDH | AES(128) | SHA256 | |
ECDH-ECDSA-AES128-SHA256 | TLSv1.2 | ECDH/ECDSA | ECDH | AES(128) | SHA256 | |
ECDH-RSA-AES128-SHA | SSLv3 | ECDH/RSA | ECDH | AES(128) | SHA1 | |
ECDH-ECDSA-AES128-SHA | SSLv3 | ECDH/ECDSA | ECDH | AES(128) | SHA1 | |
AES128-GCM-SHA256 | TLSv1.2 | RSA | RSA | AESGCM(128) | AEAD | |
AES128-SHA256 | TLSv1.2 | RSA | RSA | AES(128) | SHA256 | |
AES128-SHA | SSLv3 | RSA | RSA | AES(128) | SHA1 | |
CAMELLIA128-SHA | SSLv3 | RSA | RSA | Camellia(128) | SHA1 | |
Normal | ||||||
SEED-SHA | SSLv3 | RSA | RSA | SEED(128) | SHA1 | |
ECDHE-RSA-DES-CBC3-SHA | SSLv3 | ECDH | RSA | 3DES(168) | SHA1 | Yes |
ECDHE-ECDSA-DES-CBC3-SHA | SSLv3 | ECDH | ECDSA | 3DES(168) | SHA1 | Yes |
ECDH-RSA-DES-CBC3-SHA | SSLv3 | ECDH/RSA | ECDH | 3DES(168) | SHA1 | |
ECDH-ECDSA-DES-CBC3-SHA | SSLv3 | ECDH/ECDSA | ECDH | 3DES(168) | SHA1 | |
DES-CBC3-SHA | SSLv3 | RSA | RSA | 3DES(168) | SHA1 | |
Weak | ||||||
DHE-DSS-AES256-GCM-SHA384 | TLSv1.2 | DH | DSS | AESGCM(256) | AEAD | Yes |
DHE-RSA-AES256-GCM-SHA384 | TLSv1.2 | DH | RSA | AESGCM(256) | AEAD | Yes |
DHE-RSA-AES256-SHA256 | TLSv1.2 | DH | RSA | AES(256) | SHA256 | Yes |
DHE-DSS-AES256-SHA256 | TLSv1.2 | DH | DSS | AES(256) | SHA256 | Yes |
DHE-RSA-AES256-SHA | SSLv3 | DH | RSA | AES(256) | SHA1 | Yes |
DHE-DSS-AES256-SHA | SSLv3 | DH | DSS | AES(256) | SHA1 | Yes |
DHE-RSA-CAMELLIA256-SHA | SSLv3 | DH | RSA | Camellia(256) | SHA1 | Yes |
DHE-DSS-CAMELLIA256-SHA | SSLv3 | DH | DSS | Camellia(256) | SHA1 | Yes |
DHE-DSS-AES128-GCM-SHA256 | TLSv1.2 | DH | DSS | AESGCM(128) | AEAD | Yes |
DHE-RSA-AES128-GCM-SHA256 | TLSv1.2 | DH | RSA | AESGCM(128) | AEAD | Yes |
DHE-RSA-AES128-SHA256 | TLSv1.2 | DH | RSA | AES(128) | SHA256 | Yes |
DHE-DSS-AES128-SHA256 | TLSv1.2 | DH | DSS | AES(128) | SHA256 | Yes |
DHE-RSA-AES128-SHA | SSLv3 | DH | RSA | AES(128) | SHA1 | Yes |
DHE-DSS-AES128-SHA | SSLv3 | DH | DSS | AES(128) | SHA1 | Yes |
DHE-RSA-SEED-SHA | SSLv3 | DH | RSA | SEED(128) | SHA1 | Yes |
DHE-DSS-SEED-SHA | SSLv3 | DH | DSS | SEED(128) | SHA1 | Yes |
DHE-RSA-CAMELLIA128-SHA | SSLv3 | DH | RSA | Camellia(128) | SHA1 | Yes |
DHE-DSS-CAMELLIA128-SHA | SSLv3 | DH | DSS | Camellia(128) | SHA1 | Yes |
ECDHE-RSA-RC4-SHA | SSLv3 | ECDH | RSA | RC4(128) | SHA1 | Yes |
ECDHE-ECDSA-RC4-SHA | SSLv3 | ECDH | ECDSA | RC4(128) | SHA1 | Yes |
ECDH-RSA-RC4-SHA | SSLv3 | ECDH/RSA | ECDH | RC4(128) | SHA1 | |
ECDH-ECDSA-RC4-SHA | SSLv3 | ECDH/ECDSA | ECDH | RC4(128) | SHA1 | |
RC4-SHA | SSLv3 | RSA | RSA | RC4(128) | SHA1 | |
RC4-MD5 | SSLv3 | RSA | RSA | RC4(128) | MD5 | |
EDH-RSA-DES-CBC3-SHA | SSLv3 | DH | RSA | 3DES(168) | SHA1 | |
EDH-DSS-DES-CBC3-SHA | SSLv3 | DH | DSS | 3DES(168) | SHA1 | |
Notes:
- TLS v1.2 Galois/Counter Mode (GCM), Authenticated Encryption with Associated Data (AEAD), and SHA-2 hashes are only available when the client uses TLS v1.2. All TLS v1 ciphers are available when the client uses TLS v1.2, except for RC4, which is always disabled with TLS v1.1 and above.
- The changes from Release 8.2 to 8.3 are:
- All ciphers using less than 128-bit encryption (the former “weak” ciphers) have been removed and are no longer available.
- The RC4 cipher has been moved to “weak” only.
- The DHE authenticator has been moved to “weak” only.
- 3DES is no longer included in the "strong" set; it is included in “normal” and “weak.”
Related Articles
- SonicWall HES IP address blocklisted by UCEProtect or Backscatter
- How to add O365 connector for domain specific routing
- SonicWall Email Security on Hyper-V Platform
Categories
- Email Security > Email Security Appliance
- Email Security > Email Security Software
- Email Security > Hosted Email Security
YES
NO