SSL cipher suite (TLS 1.3) how to use? And what is the effect?

I noticed that there is a new setting for TLS 1.3 on the SMTP interface 'SSL cipher suite (TLS1.3). The hover text points to the OpenSSL documentation. The documentation of SMG does not tell me anything about this setting, so I think it did not reach the dcoumentation yet.

The OpenSSL documentation tells me the following ciphersuites are available:

  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_AES_128_GCM_SHA256
  • TLS_AES_128_CCM_8_SHA256
  • TLS_AES_128_CCM_SHA256

The first question I have is: when I decide to use a cipher suite do I enter the text exactly as the OpenSSL documentation tells me? E.g. 'TLS_AES_256_GCM_SHA384?

And, if a cipher suite is chosen. Does that exclude the other cipher suites from being used? Or is it just a preference? Or is it possible to exclude suites with the ! sign?

In my smtp logs I see that several of the suites are randomly used: TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384

What is the effect of using a cipher suite for TLS 1.3 for the TLS 1.2 settings? (None, I hope).

  • Additionally I found this MF developers site that explains which ciphersuites are enabled by default (I think that means when I do not enter anything in the SMG):

    TLS1.3 Cipher Suites

    The following are the new collections of cipher suites used in TLS v1.3:

    • TLS_AES_256_GCM_SHA384 (Enabled by default)
    • TLS_CHACHA20_POLY1305_SHA256 (Enabled by default)
    • TLS_AES_128_GCM_SHA256 (Enabled by default)
    • TLS_AES_128_CCM_8_SHA256
    • TLS_AES_128_CCM_SHA256
    Note: The last two collections need to be explicitly added if required. When creating a list, each collection is space separated, for example:
  • Verified Answer

    The content of this setting is passed verbatim into the OpenSSL API SSL_CTX_set_ciphersuites, so yes, the OpenSSL docs are your reference for this value.

    With regards to including, adding, omitting settings, the same applies.  SMG does no processing of the strings provided, so if you have specific requirements for how the SSL ciphers are handled, you can control it via this input value.

    If this field is left blank, the default SSL cipher suite is used (as defined by the OpenSSL API). 

    If you put this info into the 1.2 setting, that'll be passed into the SSL API SSL_CTX_set_cipher_list, which won't recognize the values.

    The SMTP log info prints the internal settings of the SSL API connection info.  How the ciphers are chosen are a matter for the OpenSSL libraries.  You'd need to reach out to the OpenSSL community to understand how that works.

    Hope that helps.

  • Verified Answer

    Yeah. I understand. But first the documentation of the SMG is not up-to-date and second the openssl community and manuals are not very easy to understand for everyone. At least OpenText should add a small guideline on how to use these features in SMG and a best-practice. Implementing something creates also a responsability to clarify how to use it.

    I already created different cases on the cipher list for TLS 1.2 but no one at OpenText does any recommendation on that. Also referring to the OpenSSL documentation. Problems with the ciphers are e.a. cipher order (there is no preference, like in Apache), excluding some ciphers and the consequences of that (e.g. !DH).

    I guess the best we can do is to wait until TLS 1.2 becomes obsolete and we only have to use TLS 1.3. Then a lot of weak ciphers are dropped.