Exim Allow Weak ciphers setting

How to you have "Allow weak SSL/TLS ciphers" set?


  • Total voters
    5

Volox

Member
Jun 11, 2017
18
2
3
San Diego
cPanel Access Level
Root Administrator
I have run into an issue where having "Allow weak SSL/TLS ciphers" set to Off causes a scanner to be unable to connect and send outbound emails.

Can someone identify what specific ciphers are enabled or disabled by that setting? I might try to emulate with a limited ciphers list and only adding the one weak one that the printer is attempting to use.

Since 'Off' is the default, I would imagine that there are more and more servers setup this way. However I am curious whether people out there are running the default or changing to 'on' for compatibility?
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,217
463
Hello @Volox,

Enabling Allow weak SSL/TLS ciphers under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor results in the full removal of the following line from the Exim configuration file (/etc/exim.conf):

Code:
tls_require_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
This effectively allows the use of all SSL/TLS ciphers with Exim. When Allow weak SSL/TLS ciphers is disabled, the tls_require_ciphers entry above exists in /etc/exim.conf and corresponds to the SSL/TLS Cipher Suite List option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor. We document more information on how to adjust the cipher list on the document below:

How to Adjust Cipher Protocols - cPanel Knowledge Base - cPanel Documentation

Let me know if you have any questions.

Thank you.
 

Volox

Member
Jun 11, 2017
18
2
3
San Diego
cPanel Access Level
Root Administrator
Thanks for the clarification @cPanelMichael!

Is there a way via the logs or some kind of debugging flag that one can determine what cipher a client was attempting to use when they fail a connection attempt in this way? That would definitely make it easier to determine whether it is a cipher I want to consider adding to the default list or whether it is one that is not worth the risk.
 

Volox

Member
Jun 11, 2017
18
2
3
San Diego
cPanel Access Level
Root Administrator
Hello @Volox,

You can add +tls_cipher to Exim's log_selector option using the instructions on the resource below:

Tutorial - Reading and Understanding the exim main_log

Per it's description:



Thank you.
That seems to work for successful connections (I can see the cipher in the log for those). But it doesn't work for failed connections. :-(

I'm just getting this in the log file...
Code:
TLS error on connection from [ip address]:58290 (SSL_accept): error:1408A0C1:SSL routines:ssl3_get_client_hello:no shared cipher
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,908
2,217
463
Hello @Volox,

You'd have to temporarily enable Allow weak SSL/TLS ciphers and then monitor the logs to see which connections are using weaker ciphers. Or, enable specific ciphers one-by-one and monitor the number of login failures to see which ones stop working after making each change.

Thank you.