Compatibility Issues with the LoadMaster and Cisco IronPort

OpenSSL 1.01g included a fix for the Heartbleed Vulnerability but also adds a new TLS Padding Extension. As a result of this, LoadMaster initiated connections to IronPort fail SSL negotiation.
 
Sample Stream
LoadMaster: 176.16.1.2
Cisco IronPort spam Release: 10.0.12.1
 
1 0.000000000 172.16.1.2 10.0.12.1 TCP 62 5825→83 [SYN] Seq=0 Win=14600 Len=0 MSS=1460 WS=128
2 0.000258000 10.0.12.1 172.16.1.2 TCP 62 83→5825 [SYN, ACK] Seq=0 Ack=1 Win=16384 Len=0 MSS=1380 WS=8
3 0.000401000 172.16.1.2 10.0.12.1 TCP 60 5825→83 [ACK] Seq=1 Ack=1 Win=14720 Len=0
4 0.000780000 172.16.1.2 10.0.12.1 TLSv1 571 Client Hello
5 0.001061000 10.0.12.1 172.16.1.2 TCP 60 83→5825 [ACK] Seq=1 Ack=518 Win=16040 Len=0
6 0.001064000 10.0.12.1 172.16.1.2 TLSv1 61 Alert (Level: Fatal, Description: Decode Error)
7 0.001187000 172.16.1.2 10.0.12.1 TCP 60 5825→83 [ACK] Seq=518 Ack=8 Win=14720 Len=0
8 0.001261000 10.0.12.1 172.16.1.2 TCP 60 83→5825 [FIN, ACK] Seq=8 Ack=518 Win=16560 Len=0
9 0.003989000 172.16.1.2 10.0.12.1 TCP 60 5825→83 [FIN, ACK] Seq=518 Ack=9 Win=14720 Len=0
 
 
Cisco IronPort (versions before 8.0.1-108) has issues with this TLS Padding extension. For more information on these issues, refer to the following link:
http://openssl.6102.n7.nabble.com/openssl-org-3336-1-0-1g-breaks-IronPORT-SMTP-appliance-padding-extension-td49856.html.
As a result of these issues, a session initiated from a client using OpenSSL version 1.01g or above, for example a LoadMaster with version 7.1-14 or above, may fail.
 
To fix this problem, upgrade IronPort to the latest firmware version (8.0.1-108 or above).
 
Was this article helpful?

0 out of 0 found this helpful

Comments