Forum Discussion

SAMFS's avatar
SAMFS
Copper Contributor
Apr 24, 2024

How to configure cipher suites for STARTTLS?

I configured the available cipher suites for an Exchange 2013 server as https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-tls-configu...
2013
admin
Exchange Server
SAMFS's avatar
SAMFS
Copper Contributor
Apr 24, 2024
Thanks for you quick reply! That is the document I referred to in my post. So, what's in there either does not answer my question or I got it wrong 😅
  • Andres-Bohren's avatar
    Andres-Bohren
    Iron Contributor
    Apr 24, 2024
    How to you check the Ciphers offered after STARTTLS?
    • SAMFS's avatar
      SAMFS
      Copper Contributor
      Apr 25, 2024

      By capturing the traffic to and from the server using Wireshark. The Exchange server contacted another SMTP host and after sending the STARTTLS command it sent the following cipher suites as part of the handshake:

      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
      TLS_RSA_WITH_AES_256_CBC_SHA
      TLS_RSA_WITH_3DES_EDE_CBC_SHA
      TLS_RSA_WITH_AES_128_CBC_SHA
      TLS_RSA_WITH_RC4_128_SHA
      TLS_RSA_WITH_RC4_128_MD5

      While the ciphers in the above registry key are as follows:

      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
      TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
      TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P256
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
      TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
      TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
      TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
      TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
      TLS_RSA_WITH_AES_256_GCM_SHA384
      TLS_RSA_WITH_AES_128_GCM_SHA256

      Which matches the list from the best practice document.

      • Andres-Bohren's avatar
        Andres-Bohren
        Iron Contributor
        Apr 26, 2024

        Hi SAMFS 

        I've captured the Traffic from an openssl STARTTLS Test

        openssl s_client -starttls smtp -connect mail.icewolf.ch:25


        After STARTTLS and the Server Responding 220
        The client sends a List of Cipher Suites it supports

         

        Then the Server picks one

        Similar to HTTPS

         

        Kind Regards
        Andres

         

         

         

Resources