False positive on PCI scan?

[GreybeardITGuy]

Hello,

I received a warning about weak ciphers on the mailserver ports (587, 465, 26, 25) with our PCI scan. I adjusted both dovecot and exim to use the hardened ciphers, but this morning I am still getting flagged for weak ciphers. I dug into the report and it's reporting the following ciphers as being present (see attachment):

AECDH-RC4-SHA
AECDH-DES-CBC3-SHA
AECDH-AES128-SHA
AECDH-AES256-SHA
RC4-MD5
RC4-SHA
AECDH-RC4-SHA

When I go into WHM and look at the cipher settings for dovecot and exim I do not see any of these ciphers listed.

Dovcot:

ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

Exim:

ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

This smells like a false positive, but I don't want to assume anything in regarding to PCI. I made similar adjustments for webdisk, cpanel services, and apache but again, it's flagging the mailserver ports, not port 80 or 443.

What am I missing? TIA!

 

[cPanelLauren]

Hello @GreybeardITGuy

If you go to WHM>>Service Configuration >>Exim Configuration Manager -> Security, what do you have set for Allow weak SSL/TLS Ciphers?

 

[GreybeardITGuy]

It is set to off.

 

[cPanelLauren]

Can you please open a ticket using the link in my signature? Once open please reply with the Ticket ID here so that we can update this thread with the resolution once the ticket is resolved.


Thanks!

 

[GreybeardITGuy]

13625449

 

[cPanelLauren]

Hello,

Great, thank you. I'm watching that ticket and I'll update here with the end result. There are too many variables in this situation for me to tell you specifically if it's a false positive or not, so a ticket was definitely the best way to go.


Thanks!

 

[GreybeardITGuy]

The issue was that the basic editor was correct, but the advanced editor had a lower security cipher / protocol defined which overrode the basic setting. That was resolved by your team and all issues are resolved. Thanks

 

[cPanelLauren]

Hi @GreybeardITGuy

I'm really glad that you were able to get the issue resolved and that they were able to identify the issue. Thank you for following up here as well.