SSL Protocols

To maintain a wider range of compatibility with end-user browsers, Mail Express Server allows clients to initially connect using all supported SSL protocols. However, the list of allowed SSL Algorithms is limited to a set of stronger SSL 3.0 and TLS 1.0 algorithms. As such, clients that attempt to connect using SSL 2.0 may do so, but then must negotiate that the remainder of the SSL session be handled under SSL 3.0 or TLS 1.0.

The supported SSL protocols have been set using configuration item:

SSLProtocol=”all”

The allowable values for this item include:

all
SSLv2
SSLv3
TLSv1
SSLv2+SSLv3

For more information on this setting refer to http://tomcat.apache.org/tomcat-7.0-doc/apr.html.
For information on higher security settings, refer to the “High Security Settings” section below.

SSL Algorithms

The supported SSL algorithms have been limited to the following:

SSL Protocols	OpenSSL Identifier	Key Exchange	Authentication	Encryption	MAC
SSLv3, TLSv1	DHE-DSS-AES128-SHA	Ephemeral Diffie-Hellman	DSA	AES(128)	SHA1
SSLv3, TLSv1	DHE-DSS-AES256-SHA	Ephemeral Diffie-Hellman	DSA	AES(256)	SHA1
SSLv3, TLSv1	EDH-DSS-DES-CBC3-SHA	Ephemeral Diffie-Hellman	DSA	3DES(168)	SHA1
SSLv3, TLSv1	IDEA-CBC-SHA	RSA	RSA	IDEA(128)	SHA1
SSLv3, TLSv1	AES128-SHA	RSA	RSA	AES(128)	SHA1
SSLv3, TLSv1	AES256-SHA	RSA	RSA	AES(256)	SHA1
SSLv3, TLSv1	DES-CBC3-SHA	RSA	RSA	3DES(168)	SHA1
SSLv3, TLSv1	DHE-RSA-AES128-SHA	Ephemeral Diffie-Hellman	RSA	AES (128)	SHA1
SSLv3, TLSv1	DHE-RSA-AES256-SHA	Ephemeral Diffie-Hellman	RSA	AES(256)	SHA1
SSLv3, TLSv1	EDH-RSA-DES-CBC3-SHA	Ephemeral Diffie-Hellman	RSA	3DES(168)	SHA1
SSLv3, TLSv1	RC4-MD5	RSA	RSA	RC4(128)	MD5
SSLv3, TLSv1	RC4-SHA	RSA	RSA	RC4(128)	SHA1

The SSL algorithm combinations using RSA for authentication will only be available when using an RSA key pair with the Server. Conversely, the SSL algorithm combinations using DSA for authentication will only be available when using a DSA key pair with the Server.
The SSL Algorithms have been constrained to strong types with the configuration item:

SSLCipherSuite="ALL:!ADH:!SSLv2:!EXPORT40:!EXP:!LOW"
For more information on the format of this setting refer to http://www.openssl.org/docs/apps/ciphers.html#CIPHER_LIST_FORMAT

For more information, review the topics in the Contents to the left. If the Contents pane is hidden, click <--Show.

You can also search the Knowledgebase for help, or pose your question in the Globalscape User Forum. Visit the Mail Express Support Center for the most up-to-date information, to view version history, updates, and activation instructions, or to download a PDF of this user guide. For information about Globalscape, visit www.globalscape.com or follow us on Twitter.

Last modified: 07 October 2013 at 9:14:21