SSL Protocols

To maintain a wider range of compatibility with end-user browsers, Mail Express Server allows clients to connect initially using all supported SSL protocols. However, the list of allowed SSL algorithms is limited to a set of stronger SSL 3.0 and TLS 1.0 algorithms. As such, clients that attempt to connect using SSL 2.0 may do so, but then must negotiate that the remainder of the SSL session be handled under SSL 3.0 or TLS 1.0.

See also Enhanced Communication Security (FIPS).

• The supported SSL protocols have been set using the following configuration item:

• • sslEnabledProtocols=”TLSv1, TLSv1.1, TLSv1.2”

• The allowable values for this item include:

• • all

  • SSLv2

  • SSLv3

  • TLSv1, TLSv1.1, TLSv1.2

  • SSLv2+SSLv3

• For more information on this setting refer to http://tomcat.apache.org/tomcat-7.0-doc/apr.html.

• For information on higher security settings, refer to the “High Security Settings” section below.

SSL Algorithms

The supported SSL algorithms have been limited to the following:

• The SSL algorithm combinations using RSA for authentication will only be available when using an RSA key pair with the Server. Conversely, the SSL algorithm combinations using DSA for authentication will only be available when using a DSA key pair with the Server.

• The SSL Algorithms have been constrained to strong types with the configuration item:

• • SSLCipherSuite="ALL:!ADH:!SSLv2:!SSLv3:! EXPORT40:!EXP:!LOW"

  • For more information on the format of this setting refer to https://www.openssl.org/docs/man1.0.2/apps/ciphers.html