SSL Cipher strenght RC4

[stefanoostwegel]

Hello,

Recently i have upgraded my system to Plesk 12 and im loving it.
After upgrading i started checking and fixing all my SSL shortcommings.
I think i've come from a far end upgrading it.

One of the fixes was the poodle fix, wich recommended to upgrade cipher suites.
When analysing my cipher suites at ssllabs testing suite i get the following errors:

TLS_RSA_WITH_RC4_128_MD5 (0x4) WEAK128
TLS_RSA_WITH_RC4_128_SHA (0x5) WEAK128
TLS_ECDHE_RSA_WITH_RC4_128_SHA (0xc011) WEAK128
RC4Yes WEAK
​

I cannot find a way to remove the weak RC4 protocol and the other three weaknesses. Any suggestions how to do so?
Thank you!

 

[UFHH01]

Hi stefanoostwegel,

please consider using a more detailed cipher - definition, described for example at:

http://talk.plesk.com/threads/poodl...n-break-email-linux-qmail.328993/#post-768765​

 

[stefanoostwegel]

Ok, i have added the following changes:

Apache HTTPD Server
/etc/httpd/conf.d/ssl.conf
#SSLProtocol All -SSLv2 -SSLv3
#SSLCipherSuite ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256HE-RSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHAHE-RSA-AES256-SHA256HE-RSA-AES128-SHA256HE-RSA-AES256-SHAHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHAES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

Then i changed the following:

/etc/courier-imap/pop3d-ssl
/etc/courier-imap/imapd-ssl
#TLS_PROTOCOL=TLSv1+
# TLS_CIPHER_LIST="ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384HE-RSA-AES128-GCM-SHA256HE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHAHE-RSA-AES128-SHA256HE-RSA-AES128-SHAHE-DSS-AES128-SHA256HE-RSA-AES256-SHA256HE-DSS-AES256-SHAHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIAES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"

So now, when i perform my check at ssllabs.com, the error occurs:
This server accepts the RC4 cipher, which is weak. Grade capped to B

and
The server does not support Forward Secrecy with the reference browsers.
"
IE 6 / XP No FS 1 No SNI 2Protocol or cipher suite mismatchFail"

So whatever i try, i keep getting these errors.
As far as i could search the web, these ar the best ciphers to use, yet it didnt seem to work.

In order to make my changes work i recongifurgerd apache, restarted the apacheengine, and restarted both pop3d and imapd.

I am not using nginx, and i cannot find out what else i am using for email system, but according to http://kb.odin.com/en/123160 this is about it.

Does this information provide better insights in my problem?
Thank you for your time!


[edit]
Sorry cant get these smileys away -,-'[/edit]

 

[UFHH01]

Hi stefanoostwegel,

if you use "#" in front of your depending settings, then the settings are ignored, due to the fact that such a "#" is used for comments and descriptions only. Please remove them to let apache read the additional configurations.

Be as well aware that your additional "ssl.conf" might conflict with existing vhosts - configurations, so please integrate your additional settings as suggested in the "custom templates" ( please see again the whole mentioned KB - article 123 160 ) and rebuild your configurations with the command:

/usr/local/psa/admin/sbin/httpdmng --reconfigure-all
​

... and restart your webserver afterwards.