Exim Allow Weak ciphers setting

Volox

• March 29, 2019 12:35

I have run into an issue where having "Allow weak SSL/TLS ciphers" set to Off causes a scanner to be unable to connect and send outbound emails. Can someone identify what specific ciphers are enabled or disabled by that setting? I might try to emulate with a limited ciphers list and only adding the one weak one that the printer is attempting to use. Since 'Off' is the default, I would imagine that there are more and more servers setup this way. However I am curious whether people out there are running the default or changing to 'on' for compatibility?

• 

  cPanelMichael

  • March 29, 2019 20:00

  Hello @Volox, Enabling Allow weak SSL/TLS ciphers under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor results in the full removal of the following line from the Exim configuration file (/etc/exim.conf): tls_require_ciphers = ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
  This effectively allows the use of all SSL/TLS ciphers with Exim. When Allow weak SSL/TLS ciphers is disabled, the tls_require_ciphers entry above exists in /etc/exim.conf and corresponds to the SSL/TLS Cipher Suite List option under the Security tab in WHM >> Exim Configuration Manager >> Basic Editor. We document more information on how to adjust the cipher list on the document below:

  0
• 

  Volox

  • March 29, 2019 20:24

  Thanks for the clarification @cPanelMichael! Is there a way via the logs or some kind of debugging flag that one can determine what cipher a client was attempting to use when they fail a connection attempt in this way? That would definitely make it easier to determine whether it is a cipher I want to consider adding to the default list or whether it is one that is not worth the risk.

  0
• 

  cPanelMichael

  • March 29, 2019 20:29

  Hello @Volox, You can add +tls_cipher to Exim's log_selector option using the instructions on the resource below:

  0
• 

  Volox

  • March 30, 2019 00:36

  Hello @Volox, You can add +tls_cipher to Exim's log_selector option using the instructions on the resource below:

  0
• 

  cPanelMichael

  • April 01, 2019 17:18

  Hello @Volox, You'd have to temporarily enable Allow weak SSL/TLS ciphers and then monitor the logs to see which connections are using weaker ciphers. Or, enable specific ciphers one-by-one and monitor the number of login failures to see which ones stop working after making each change. Thank you.

  0

Please sign in to leave a comment.