Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Mailserver does not enforce SSL ciphersuite order preference

Discussion in 'E-mail Discussions' started by janipewter, Nov 29, 2017.

  1. janipewter

    janipewter Member

    Joined:
    Jan 2, 2013
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    My SSL cipersuite list is set as follows:

    ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

    This is Mozilla's recommended "modern" configuration.

    However the server does not enforce the order preference, and there is no option in WHM to make it do so. Obviously I would prefer all clients to use AES256 or CHACHA20 if they are capable.
     
  2. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    Here's a quote from the Exim documentation that may relate to your question:

    Can you try moving the ciphers you want prioritized to the beginning of the cipher suite entry to see if that does what you are seeking?

    Note that for Apache, we have a feature request you can vote for and monitor at:

    SSLHonorCipherOrder on Apache

    Thank you.
     
  3. janipewter

    janipewter Member

    Joined:
    Jan 2, 2013
    Messages:
    21
    Likes Received:
    0
    Trophy Points:
    1
    cPanel Access Level:
    Root Administrator
    Thank you, that is interesting. The ciphers are in the order I would like them to be selected by the client. Whether or not the clients all recognise this order I'm not sure of it, although it would be logical. What I was looking for was an option analogous to HonorCipherOrder, but for Exim. I only discovered this after running the server test on hardenize.com (from the same developers as the Qualys SSLLabs test but much more in depth, and not just for HTTP). It clearly shows that the server advertises the correct cipher suites, but with no order preference.

    You should definitely implement that. I've had it in the PreMainInclude since day one, but it would be nice if there was an option for it. Also, please see my other thread: More customisation in AutoSSL

    Thanks.
     
  4. cPanelMichael

    cPanelMichael Forums Analyst
    Staff Member

    Joined:
    Apr 11, 2011
    Messages:
    42,734
    Likes Received:
    1,706
    Trophy Points:
    363
    cPanel Access Level:
    Root Administrator
    Hello,

    The ability to configure the priority of the ciphers that are presented to a user's email client could be limited to the extent of what Exim allows, but I still encourage you to open a feature request using the following URL so that our Developers can review the request and determine if it's something we could implement:

    Submit A Feature Request

    Thank you.
     
Loading...

Share This Page