Security

last person joined: 3 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass using TLS1.0 for SMTP

Jump to Best Answer
  • 1.  Clearpass using TLS1.0 for SMTP

    Posted Oct 23, 2020 05:28 AM

    Hey guys,

    I have a quick question regarding TLS on the CPPM. I am currently running version 6.7.9 and we use the captive portal for our guest wifi.

    I disabled in cluster wide parameters already the TLS 1.0 support but CPPM ist still using it for SMTP (to send out the account receipts).

    Is there any option to change this by config or does an update to e.g. 6.9.x solve my issue.

     

    This is the client hello from CPPM:

    Bildschirmfoto 2020-10-23 um 12.07.03.png

    Cheers

    Arthur

     



  • 2.  RE: Clearpass using TLS1.0 for SMTP
    Best Answer

    Posted Oct 23, 2020 09:33 AM

    Does your receiving mail server support TLS1.2 or newer than TLS1.0? I only have a CPPM 6.9.2 to test with, and there with the 'test' and Connection Security set to SSL, I see that TLS1.2 is used from the mail server logs:

    Anonymous TLS connection established from unknown: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)

    I can imagine that the disable TLS setting is not reflected in the mail sending, which 'under the hood' is a separate process from the server processes.

     

    If your question is if ClearPass can send mail over TLS1.2, then the proof is above. If you want to prevent ClearPass from using TLS 1.0, that may be unsupported at the moment. Probably the best option is to check with support for verification.



  • 3.  RE: Clearpass using TLS1.0 for SMTP

    Posted Oct 23, 2020 11:12 AM

    Thank you Herman! 

    The CP sends the mails through out O365 which is capable of TLS 1.2 but currently still supports 1.0. Seems the CP on 6.7 is using 1.0 as default when using SMTP, as shown in the pcap. Connection Security in our case is set to StartTLS / Port 587.

     

    I will upgrade our appliances and check the outcome.

     

    Best,

    Arthur

     



  • 4.  RE: Clearpass using TLS1.0 for SMTP

    Posted 24 days ago
    Look version on TLS Client Hello it is no always enough, do you ave check what supported_versions extensions ?

    ------------------------------
    PowerArubaSW : Powershell Module to use Aruba Switch API for Vlan, VlanPorts, LACP, LLDP...

    PowerArubaCP: Powershell Module to use ClearPass API (create NAD, Guest...)

    PowerArubaCX: Powershell Module to use ArubaCX API (get interface/vlan/ports info)..

    ACEP / ACMX #107 / ACDX #1281
    ------------------------------