Mailing List CGatePro@mail.stalker.com Message #105818
From: James Roman <james.roman@ssaihq.com>
Subject: Re: Error: none of client TLS cipher methods is supported
Date: Wed, 16 Sep 2015 11:01:24 -0400
To: CommuniGate Pro Discussions <CGatePro@mail.stalker.com>
X-Mailer: Apple Mail (2.2104)
Just to correct a statement from an earlier message, to my understanding, Chaining Block Ciphers (CBC) are a method or mode for encrypting data. They are coupled with an algorithm, one of which is AES, for encrypting data in transit.  

I believe that CommuniGate doesn’t separate the CBCs (or any other Block Ciphers) from the protocols in their implementation. None of the Block Cipher methods published (and approved) in the original RFC can be considered safe. In that case, from the CommuniGate server’s perspective, the only safe choice is to only negotiate TLS 1.1 and TLS 1.2. Since the remote server you are speaking with appears to only support TLS 1.0, you need to allow weak ciphers to make CommuniGate accept TLS 1.0 traffic. This is kind of like agreeing that we will communicate using English, but one side is limited to only using a Greek character set. 

If CGP chose to be less RFC strict, CGP could allow using TLS 1.0 with more secure CBC methods like AES_128 or AES_256 used in TLS 1.1 and 1.2, allowing you to choose A la carte “Allow these encryption protocols” with this list of “Allowed Ciphers”. Unfortunately, with the protocol and block ciphers tied together, we are forced to choose between “Only use secure and approved encryption” or “Allow unsafe Block Ciphers”. 

With time, this problem will go away. Older servers and mail appliances will be replaced with upgraded OSes that support TLS 1.1 and higher. 

On Sep 16, 2015, at 7:00 AM, CommuniGate Pro Discussions <CGatePro@mail.stalker.com> wrote:

Thanks, James. I'm still confused about why the two CGP settings mentioned would have resolved this issue.

Tom

Subscribe (FEED) Subscribe (DIGEST) Subscribe (INDEX) Unsubscribe Mail to Listmaster