I have a quick question regarding TLS on the CPPM. I am currently running version 6.7.9 and we use the captive portal for our guest wifi.
I disabled in cluster wide parameters already the TLS 1.0 support but CPPM ist still using it for SMTP (to send out the account receipts).
Is there any option to change this by config or does an update to e.g. 6.9.x solve my issue.
This is the client hello from CPPM:
Does your receiving mail server support TLS1.2 or newer than TLS1.0? I only have a CPPM 6.9.2 to test with, and there with the 'test' and Connection Security set to SSL, I see that TLS1.2 is used from the mail server logs:
Anonymous TLS connection established from unknown: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
I can imagine that the disable TLS setting is not reflected in the mail sending, which 'under the hood' is a separate process from the server processes.
If your question is if ClearPass can send mail over TLS1.2, then the proof is above. If you want to prevent ClearPass from using TLS 1.0, that may be unsupported at the moment. Probably the best option is to check with support for verification.
Thank you Herman!
The CP sends the mails through out O365 which is capable of TLS 1.2 but currently still supports 1.0. Seems the CP on 6.7 is using 1.0 as default when using SMTP, as shown in the pcap. Connection Security in our case is set to StartTLS / Port 587.
I will upgrade our appliances and check the outcome.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2020 Hewlett Packard Enterprise Development LPAll Rights Reserved.