Cisco Cisco Email Security Appliance X1070 Informationshandbuch
Contents
Introduction
Legacy certificates (MD5) cause TLSv1.2 communication to fail on 9.5 AsyncOS for Email Securityupgrades and newer
Corrective Actions
CLI Corrective Actions (if GUI cannot be accessed)
Related Information
Related Cisco Support Community Discussions
Introduction
This document describes the necessary steps to be applied if encountering an issue with
TLS communication, or accessing the web interface, after upgrading to AsyncOS for Email
Security version 9.5 or newer on the Cisco Email Security Appliances (ESA).
TLS communication, or accessing the web interface, after upgrading to AsyncOS for Email
Security version 9.5 or newer on the Cisco Email Security Appliances (ESA).
Legacy certificates (MD5) cause TLSv1.2 communication to
fail on 9.5 AsyncOS for Email Security upgrades and newer
fail on 9.5 AsyncOS for Email Security upgrades and newer
Note: The following is a listed workaround for the current demo certificates applied on the
appliance. However, the below steps may also appliance apply to any MD5 signed
certificates.
appliance. However, the below steps may also appliance apply to any MD5 signed
certificates.
Upon performing an upgrade to AsyncOS for Email Security version 9.5 and newer, any of the
legacy IronPort demo certificates still in use and applied for delivery, receiving or LDAP, may
experience errors while trying to communicate via TLSv1/TLSv1.2 with some domains. The TLS
error will cause all inbound or outbound sessions to fail.
legacy IronPort demo certificates still in use and applied for delivery, receiving or LDAP, may
experience errors while trying to communicate via TLSv1/TLSv1.2 with some domains. The TLS
error will cause all inbound or outbound sessions to fail.
If the certificates are applied to the HTTPS interface, modern web browsers will fail to access the
web interface of the appliance.
web interface of the appliance.
Mail Logs should look similar to the following example:
Tue Jun 30 15:27:59 2015 Info: ICID 4420993 TLS failed: (336109761,
'error:1408A0C1:SSL routines:SSL3_GET_CLIENT_HELLO:no shared cipher'
)
This error is caused by the signature algorithm applied to the older certificate being MD5;
however, the certificates associated with the connecting appliance/browser only supports SHA
signature based algorithms. Although, the older demo certificates which has the MD5 signature is
on the appliance the same time the new SHA based demo certificate the above error will only
manifest itself if the MD5 signature based certificate is applied to the specified sections (i.e.
receiving, delivery, etc.)
however, the certificates associated with the connecting appliance/browser only supports SHA
signature based algorithms. Although, the older demo certificates which has the MD5 signature is
on the appliance the same time the new SHA based demo certificate the above error will only
manifest itself if the MD5 signature based certificate is applied to the specified sections (i.e.
receiving, delivery, etc.)
Below is an example pulled from the cli of an appliance that has both the older MD5 certificates in
addition to the new Demo Certificate (Note: the newer certificate (Demo) should be the newer the
SHA algorithm and have a longer expiration date than the older demo certificates).:
addition to the new Demo Certificate (Note: the newer certificate (Demo) should be the newer the
SHA algorithm and have a longer expiration date than the older demo certificates).:
Tue Jun 30 15:27:59 2015 Info: ICID 4420993 TLS failed: (336109761,