TLS Custom Cipher List changes for MailMarshal Q3 2023 versions


This article applies to:

  • MailMarshal 10.0.7 and above
  • MailMarshal 8.3.2 and later 8.X
  • Trustwave SPE 4.3.4 and above

Question:

  • What changes are required in custom Cipher Lists for MailMarshal versions released in September 2023 (or later)?
  • Why does MailMarshal not negotiate TLS 1.0 or 1.1 after upgrade to 10.0.7 or 8.3.2?

Information:

Customers can enter custom TLS Cipher lists using the Registry setting or Advanced Setting TLSCipherList.  This setting can be present for the Sender and for each Server. 

Security settings in the updated TLS/SSL library have changed the default behavior of the cipher lists. These changes affect the library used in MailMarshal 10.0.7 and above, and in 8.X releases 8.3.2 and above.

To preserve the behavior of previous versions, add the following entry in the Cipher Lists:

  • @SECLEVEL=0
For example:
  • ALL:!aNULL:@SECLEVEL=0:@STRENGTH

Notes:

This issue only applies for installations where a custom setting was created. 

Customers who have selected one of the options available in the configuration interfaces do not need to take any action. The cipher lists used for these selections are automatically updated.


Last Modified 9/28/2023.
https://support.trustwave.com/kb/KnowledgebaseArticle21203.aspx