current session encryption strength/cipher strength that is currently running in your MTA

This might be a silly question, but I'm not an Exchange guru. I was being assign the task to setup forced TLS connection. The other company was asking us about what is our current session encryption strength/cipher strength that is currently running on our MTA.

We use Exchange 2010, I did some google research and found a tool call Zenmap which basically runs a command to know the cipher. the below is the result:

Starting Nmap 6.49BETA6 ( https://nmap.org ) at 2015-11-18 16:23 Eastern Standard Time

Nmap scan report for domain.com (74.205.249.46)

Host is up (0.0061s latency).

PORT    STATE SERVICE

443/tcp open  https

| ssl-enum-ciphers:

|   SSLv3:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: client

|     warnings:

|       CBC-mode cipher in SSLv3 (CVE-2014-3566)

|       Ciphersuite uses MD5 for message integrity

|       Key exchange parameters of lower strength than certificate key

|   TLSv1.0:

|     ciphers:

|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

|     compressors:

|       NULL

|     cipher preference: client

|     warnings:

|       Ciphersuite uses MD5 for message integrity

|       Key exchange parameters of lower strength than certificate key

|_  least strength: D


Nmap done: 1 IP address (1 host up) scanned in 5.63 seconds


I'm not sure what information from that output is the relevant one. Can anyone assist on this?
LVL 1
chipsexpertsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sudeep SharmaTechnical DesignerCommented:
This is what does that means.

ssl-enum-ciphers:

|   SSLv3:

This means that your server is supporting SSLv3 (which is weak and should not be used) as you can see it in another line before it completes the SSLv3 scans, which is

"..............CBC-mode cipher in SSLv3 (CVE-2014-3566)
Ciphersuite uses MD5 for message integrity........................"

It also listed the different ciper suites SSL supports, which are:
|       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 1024) - D

|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 1024) - A

|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 1024) - A

|       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C

|       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_MD5 (rsa 2048) - A

|       TLS_RSA_WITH_RC4_128_SHA (rsa 2048) - A

Then comes the TLS, on which it states that your server supports only TLS v 1.0 there are other two versions on TLS which are TLS v 1.1 and TLS v 1.2 and then Cipher supported by TLS is listed just like SSL.

If you have enforce the TLS should provide the TLS v 1.0 and the cipher your server supports, however I would strongly recommend to diable SSL3 and disable weak ciphers and also enable strong cipher with TLS v 1.2.

I would also recommend to check your server SSL strength using the link below and make sure your server scores atleast A and A+ is better.
https://www.ssllabs.com/ssltest/

Sudeep

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.