Forum Discussion

SAMFS's avatar
SAMFS
Copper Contributor
Apr 24, 2024

How to configure cipher suites for STARTTLS?

I configured the available cipher suites for an Exchange 2013 server as https://learn.microsoft.com/en-us/exchange/plan-and-deploy/post-installation-tasks/security-best-practices/exchange-tls-configu...
2013
admin
Exchange Server
SAMFS's avatar
SAMFS
Copper Contributor
Apr 24, 2024
Thanks for you quick reply! That is the document I referred to in my post. So, what's in there either does not answer my question or I got it wrong 😅
Andres-Bohren's avatar
Andres-Bohren
Iron Contributor
Apr 24, 2024
How to you check the Ciphers offered after STARTTLS?
  • SAMFS's avatar
    SAMFS
    Copper Contributor
    Apr 25, 2024

    By capturing the traffic to and from the server using Wireshark. The Exchange server contacted another SMTP host and after sending the STARTTLS command it sent the following cipher suites as part of the handshake:

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_AES_256_CBC_SHA
    TLS_RSA_WITH_3DES_EDE_CBC_SHA
    TLS_RSA_WITH_AES_128_CBC_SHA
    TLS_RSA_WITH_RC4_128_SHA
    TLS_RSA_WITH_RC4_128_MD5

    While the ciphers in the above registry key are as follows:

    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384_P256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256_P256
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384
    TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P384
    TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256_P256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256_P256
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P384
    TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA_P256
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P384
    TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA_P256
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P384
    TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA_P256
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P384
    TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA_P256
    TLS_RSA_WITH_AES_256_GCM_SHA384
    TLS_RSA_WITH_AES_128_GCM_SHA256

    Which matches the list from the best practice document.

    • Andres-Bohren's avatar
      Andres-Bohren
      Iron Contributor
      Apr 26, 2024

      Hi SAMFS 

      I've captured the Traffic from an openssl STARTTLS Test

      openssl s_client -starttls smtp -connect mail.icewolf.ch:25


      After STARTTLS and the Server Responding 220
      The client sends a List of Cipher Suites it supports

       

      Then the Server picks one

      Similar to HTTPS

       

      Kind Regards
      Andres

       

       

       

      • SAMFS's avatar
        SAMFS
        Copper Contributor
        Apr 29, 2024

        Hi Andres-Bohren!

         

        Yes, that's what I did, too. The problem is that our Exchange server, after sending the STARTTLS command, does not offer the cipher suites that are listed in the above mentioned registry key, but a different set. And I don't know why it behaves like that.

Resources