Exim Allow Weak ciphers setting

How to you have "Allow weak SSL/TLS ciphers" set?


  • Total voters
    5

Volox

Member
Jun 11, 2017
20
2
3
San Diego
cPanel Access Level
Root Administrator
I have run into an issue where having "Allow weak SSL/TLS ciphers" set to Off causes a scanner to be unable to connect and send outbound emails.

Can someone identify what specific ciphers are enabled or disabled by that setting? I might try to emulate with a limited ciphers list and only adding the one weak one that the printer is attempting to use.

Since 'Off' is the default, I would imagine that there are more and more servers setup this way. However I am curious whether people out there are running the default or changing to 'on' for compatibility?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello @Volox,

Enabling Allow weak SSL/TLS ciphers under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor results in the full removal of the following line from the Exim configuration file (/etc/exim.conf):

Code:
tls_require_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
This effectively allows the use of all SSL/TLS ciphers with Exim. When Allow weak SSL/TLS ciphers is disabled, the tls_require_ciphers entry above exists in /etc/exim.conf and corresponds to the SSL/TLS Cipher Suite List option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor. We document more information on how to adjust the cipher list on the document below:

How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

Let me know if you have any questions.

Thank you.
 

Volox

Member
Jun 11, 2017
20
2
3
San Diego
cPanel Access Level
Root Administrator
Thanks for the clarification @cPanelMichael!

Is there a way via the logs or some kind of debugging flag that one can determine what cipher a client was attempting to use when they fail a connection attempt in this way? That would definitely make it easier to determine whether it is a cipher I want to consider adding to the default list or whether it is one that is not worth the risk.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463

Volox

Member
Jun 11, 2017
20
2
3
San Diego
cPanel Access Level
Root Administrator
Hello @Volox,

You can add +tls_cipher to Exim's log_selector option using the instructions on the resource below:

Tutorial - Reading and Understanding the exim main_log

Per it's description:



Thank you.
That seems to work for successful connections (I can see the cipher in the log for those). But it doesn't work for failed connections. :-(

I'm just getting this in the log file...
Code:
TLS error on connection from [ip address]:58290 (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,909
2,229
463
Hello @Volox,

You'd have to temporarily enable Allow weak SSL/TLS ciphers and then monitor the logs to see which connections are using weaker ciphers. Or, enable specific ciphers one-by-one and monitor the number of login failures to see which ones stop working after making each change.

Thank you.