How do I disable TLS v1.0 and v1.1 on Exim?

budiantoip

Registered
Jun 2, 2022
2
1
3
Indonesia
cPanel Access Level
Website Owner
When I ran this command in my terminal:
openssl s_client -connect www.domain.com:465 -tls1

and it displayed this output:
SSL-Session:
Protocol : TLSv1
Cipher : ECDHE-RSA-AES256-SHA
Session-ID: B4C5934D812CAE5460DF87317C1AD76EF0998DD7B228EB631477DCB831B8
Session-ID-ctx:
Master-Key: F7D4F5FF850193E9C746AF3B59AE5B06892805AFC6528F82389684989441156D011FFB79D2D6E653C2ED4E568961
Start Time: 1654225000
Timeout : 7200 (sec)
Verify return code: 0 (ok)

Which I believe TLSv1.0 is enabled.

Currently the SSL protocols used by Exim are these:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1

Should I change it to:
+no_sslv2 +no_sslv3 +no_tlsv1_2 +no_tlsv1_3
Or to:
+no_sslv2 +no_sslv3

How do I know the possible values for these protocols on Exim? And is it safe to completely remove the TLS v1.0 and TLS v1.1?
 
Last edited by a moderator:

cPRex

Jurassic Moderator
Staff member
Oct 19, 2014
11,731
1,864
363
cPanel Access Level
Root Administrator
Hey there! From our documentation here:


Code:
    cPanel & WHM only supports TLSv1.2 or newer. The system enables TLSv1.2 by default.
    Not all clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
I specifically linked the version 86 page of the documentation to show that's been in place for several years.

For reference, here are the default ciphers in WHM >> Mailserver Configuration:

Code:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Code:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default
 
  • Like
Reactions: budiantoip

budiantoip

Registered
Jun 2, 2022
2
1
3
Indonesia
cPanel Access Level
Website Owner
Hey there! From our documentation here:


Code:
    cPanel & WHM only supports TLSv1.2 or newer. The system enables TLSv1.2 by default.
    Not all clients will support TLSv1.3, which requires OpenSSL 1.1.1 or higher.
I specifically linked the version 86 page of the documentation to show that's been in place for several years.

For reference, here are the default ciphers in WHM >> Mailserver Configuration:

Code:
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Code:
+no_sslv2 +no_sslv3 +no_tlsv1 +no_tlsv1_1 default
Awesome, thank you!
 
  • Like
Reactions: cPRex