mailserver test problem with "key exchange parameters"

Discussion in 'General' started by Robin.k, Aug 7, 2021.

Page 2 of 2
  1. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    They break compatibility with older (cough very old cough) clients, which is why I haven't implemented this for all ISPConfig users yet.
     
    Th0m, Aug 17, 2021
    #21
  2. Robin.k

    Robin.k Member

    Hi, thanks for the info

    Almost 100% website
    Only one error... What to change in
    /etc/apache2/mods-available/ssl.con

    Internet.nl gives me
    Ciphers (Algorithm selections)
    Verdict:
    Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficientlysecure.

    Technical details:
    Web server IP address Affected ciphers Status

    ... AES128-GCM-SHA256 phase out
    ... AES256-GCM-SHA384 phase out
    ... AES128-SHA256 phase out
    ... AES128-SHA phase out
    ... AES256-SHA phase out

    Thanks
     
    Robin.k, Aug 17, 2021
    #22
  3. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can add
    Code:
    SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384"
SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
    for that, but you should comment out the SSLCipherSuite and SSLProtocol lines earlier in the file.
     
    Th0m, Aug 17, 2021
    #23
  4. Jesse Norell

    Jesse Norell Well-Known Member Staff Member Howtoforge Staff

    There is a setting for the security level of a web server, I believe - maybe the web settings would be appropriate for systems set to high security level?
     
    Jesse Norell, Aug 17, 2021
    #24
  5. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Yes, we could do that.
     
    Th0m, Aug 17, 2021
    #25
  6. Robin.k

    Robin.k Member

    Hi Thom,
    I tried this, but there is no difference, always the same affected ciphers. No matter what I do or change in the line
    "SSLCipherSuite"

    Any suggestions?

    Ciphers (Algorithm selections)
    Verdict:
    Your web server supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficientlysecure.

    Technical details:
    Web server IP address Affected ciphers Status
    ... AES128-SHA phase out
    ... AES128-GCM-SHA256 phase out
    ... AES256-GCM-SHA384 phase out
    ... AES128-SHA256 phase out
    ... AES256-SHA phase out
     
    Robin.k, Aug 20, 2021
    #26
  7. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Have you commented out the other setting?

    You might need to create a custom vhost template for your sites that removes the setting from the vhost, I can check that when i'm in office.
     
    Th0m, Aug 21, 2021
    #27
Page 2 of 2

Share This Page