Question
How do you enable TLS 1.0/1.1 support for CloudLinux 8, AlmaLinux 8 or Rocky Linux 8 in Exim?
Warning: This procedure enables the usage of less secure communication methods. This is not a recommended security practice, and anyone requiring these changes should discuss this matter with a qualified system administrator before implementing them; a list of system administrators is available here:
System Administration Services
Answer
If you upgrade your server and require TLS 1.0 or TLS 1.1, here are the steps on how to enable them.
Red Hat Enterprise Linux 8-based distributions use the Crypto Policy "DEFAULT", which only allows TLS 1.2+. To enable TLS 1.0/1.1 support, the policy needs to be set to "LEGACY."
Here is the documentation on the Crypto Policy changes:
CHAPTER 4. USING SYSTEM-WIDE CRYPTOGRAPHIC POLICIES
-
Run this command, then restart the server:
# update-crypto-policies --set LEGACY
- Log in to WHM as the
rootuser - Navigate to Home / Service Configuration / Exim Configuration Manager / Basic Editor
-
Make the following changes:
- Allow Weak SSL/TLS Ciphers set to On
- Options for OpenSSL set to +no_sslv2 +no_sslv3
- SSL/TLS Cipher Suite List must contain this string:
CONFIG_TEXT: ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DS
The changes can be confirmed with this nmap command:
# nmap --script ssl-enum-ciphers -p 465 <ip_address_or_hostname>
Note: You can learn how to use nmap here:
How to use nmap to troubleshoot port connectivity issuesThe output should appear similar to the following if properly applied:
# Starting Nmap 6.40 ( http://nmap.org ) at 2021-03-30 00:21 CDT
Nmap scan report for 203.0.113.2
Host is up (0.0018s latency).
PORT STATE SERVICE
465/tcp open smtps
| ssl-enum-ciphers:
| SSLv3: No supported ciphers found
| TLSv1.0:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA - strong
| TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
| TLS_RSA_WITH_AES_256_CBC_SHA - strong
| TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
| TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
Comments
0 comments
Article is closed for comments.