Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

Exim Allow Weak ciphers setting

Discussion in 'E-mail Discussion' started by Volox, Mar 29, 2019.

?

How to you have "Allow weak SSL/TLS ciphers" set?

  1. Off

    33.3%
  2. On with a specific SSL/TLS Cipher Suite List

    0 vote(s)
    0.0%
  3. On with default SSL/TLS Cipher Suite List

    66.7%
  1. Volox

    Volox Member

    Joined:
    Jun 11, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    San Diego
    cPanel Access Level:
    Root Administrator
    I have run into an issue where having "Allow weak SSL/TLS ciphers" set to Off causes a scanner to be unable to connect and send outbound emails.

    Can someone identify what specific ciphers are enabled or disabled by that setting? I might try to emulate with a limited ciphers list and only adding the one weak one that the printer is attempting to use.

    Since 'Off' is the default, I would imagine that there are more and more servers setup this way. However I am curious whether people out there are running the default or changing to 'on' for compatibility?
     
  2. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,503
    Likes Received:
    2,179
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Volox,

    Enabling Allow weak SSL/TLS ciphers under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor results in the full removal of the following line from the Exim configuration file (/etc/exim.conf):

    Code:
    tls_require_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
    This effectively allows the use of all SSL/TLS ciphers with Exim. When Allow weak SSL/TLS ciphers is disabled, the tls_require_ciphers entry above exists in /etc/exim.conf and corresponds to the SSL/TLS Cipher Suite List option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor. We document more information on how to adjust the cipher list on the document below:

    How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

    Let me know if you have any questions.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. Volox

    Volox Member

    Joined:
    Jun 11, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    San Diego
    cPanel Access Level:
    Root Administrator
    Thanks for the clarification @cPanelMichael!

    Is there a way via the logs or some kind of debugging flag that one can determine what cipher a client was attempting to use when they fail a connection attempt in this way? That would definitely make it easier to determine whether it is a cipher I want to consider adding to the default list or whether it is one that is not worth the risk.
     
  4. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,503
    Likes Received:
    2,179
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Volox,

    You can add +tls_cipher to Exim's log_selector option using the instructions on the resource below:

    Tutorial - Reading and Understanding the exim main_log

    Per it's description:

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  5. Volox

    Volox Member

    Joined:
    Jun 11, 2017
    Messages:
    18
    Likes Received:
    2
    Trophy Points:
    3
    Location:
    San Diego
    cPanel Access Level:
    Root Administrator
    That seems to work for successful connections (I can see the cipher in the log for those). But it doesn't work for failed connections. :-(

    I'm just getting this in the log file...
    Code:
    TLS error on connection from [ip address]:58290 (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
     
  6. cPanelMichael

    cPanelMichael Technical Support Community Manager Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    47,503
    Likes Received:
    2,179
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Twitter:
    Hello @Volox,

    You'd have to temporarily enable Allow weak SSL/TLS ciphers and then monitor the logs to see which connections are using weaker ciphers. Or, enable specific ciphers one-by-one and monitor the number of login failures to see which ones stop working after making each change.

    Thank you.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
Loading...

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice