Cisco Cisco Email Security Appliance C650 Guía Del Usuario
Chapter 24 FIPS Management
24-2
Cisco IronPort AsyncOS 7.3 for Email Advanced Configuration Guide
OL-23081-01
Understanding How FIPS Management Works
The Email Security appliance uses CiscoSSL and FIPS-compliant certificates for
communication when the appliance is in FIPS mode. See
communication when the appliance is in FIPS mode. See
for more information.
Note
As part of FIPS compliance, AsyncOS for Email does not support SSH version 1.
To be FIPS Level 1 compliant, the Email Security appliance makes the following
changes to your configuration:
changes to your configuration:
•
SMTP receiving and delivery. Incoming and outgoing SMTP conversations
over TLS between a public listener on the Email Security appliance and a
remote host use TLS version 1 and FIPS cipher suites. You cannot change
these values using
over TLS between a public listener on the Email Security appliance and a
remote host use TLS version 1 and FIPS cipher suites. You cannot change
these values using
sslconfig
when in FIPS mode. TLS v1 is the only version
of TLS supported in FIPS mode.
•
Web interface. HTTPS sessions to the Email Security appliance’s web
interface use TLS version 1 and FIPS cipher suites. This also includes HTTPS
sessions to the IronPort Spam Quarantine and other IP interfaces. You cannot
change these values using
interface use TLS version 1 and FIPS cipher suites. This also includes HTTPS
sessions to the IronPort Spam Quarantine and other IP interfaces. You cannot
change these values using
sslconfig
when in FIPS mode.
•
Certificates. FIPS mode restricts the kinds of certificates used by the
appliances. Certificates must use one of the following signature algorithms:
SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. The appliance will
not import certificates that do not use one of these algorithms. The appliance
cannot be switched to FIPS mode if it has any non-compliant certificates in
use. It will displays an error message instead. See
appliances. Certificates must use one of the following signature algorithms:
SHA-1, SHA-224, SHA-256, SHA-384, and SHA-512. The appliance will
not import certificates that do not use one of these algorithms. The appliance
cannot be switched to FIPS mode if it has any non-compliant certificates in
use. It will displays an error message instead. See
for more information.
•
DKIM signing and verfication. RSA keys used for DKIM signatures and
verification must be 1024, 1536, or 2048 bits in length. The appliance cannot
be switched to FIPS mode if it has any non-compliant RSA keys in use. It will
displays an error message instead. When verifying a DKIM signature, the
appliance returns a permanant failure if the signature does not use a
FIPS-compliant key. See
verification must be 1024, 1536, or 2048 bits in length. The appliance cannot
be switched to FIPS mode if it has any non-compliant RSA keys in use. It will
displays an error message instead. When verifying a DKIM signature, the
appliance returns a permanant failure if the signature does not use a
FIPS-compliant key. See