This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

updated cipherlist available?

Hello,

I know this has been asked before. I even created a ticket about this, but got no answer than 'it is what it is'. But let's try it again now more than a year has passed. Has anyone an updated cipherlist that works allright?

This is the (standard)list I user on the SMTP interface:

EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS !RC4

At least I would disable some weak ciphers. Because when I validate this list the first hit I get is:

At least one of your mail servers supports one or more ciphers that have a phase out status, because they are known to be fragile and are at risk of becoming insufficiently secure.

Technical details:

Mail server (MX) First found affected cipher Status
mail02.domain.com. DHE-RSA-SEED-SHA phase out
mail01.domain.com. DHE-RSA-SEED-SHA phase out
  • 0  

    Hi Jan - I do not have an answer for you off the top of my head.  Would you please open another case, and provide the case number to me, so we can assist you on this one.  -  Pam

  • 0   in reply to   

    Jan, I have to agree. I had opened a case too (some years ago) because default ciphers had a problem with Gmail. I think I did not receive an answer too and repaired the cipher by myself (and published my cipher here).

    Yes, pls open a case! (and tell me your case number via chat)


    Use "Verified Answers" if your problem/issue has been solved!

  • 0 in reply to   

    SR has been created. See DM

  • 0   in reply to 

    Thanks Jan.  I see your case and the one that Diethmar submitted.  It looks like Georg has submitted the defect to engineering so it's on the right track now. - Pam

  • 0   in reply to   

    I just talked to Tony about this.  He asked if either have restarted the SMTP process after making changes to the cipher list?  

  • 0 in reply to   

    Hello , yes I did.

    Already tried this also:

    - tested the smtp interface: DHE-RSA-SEED-SHA phase-out - added the !SEED setting to ciphers and restarted SMTP interface

    - now I get the ECDHE-ARIA128-GCM-SHA256 = insufficient when I test it. Added !ARIA to the ciphers and restarted SMTP interface.

    - now I get the DHE-RSA-AES-CCM8 = insufficient when I test it. Adde !AES to the ciphers and restarted SMTP

    - now the ciphers are OK. But the key-exchange is still insufficient. DH-2048 security level: insufficient. When I add !DHE to the cipherlist both key-exchange and cipherlist are sufficient. But..........when I send mail to MS Office 365 it arrives OK. When I want to receive mail from Office365 I get this error:

    [140001657661184] 2022-11-30 17:25:15 (SMTP)<21> TLS negotiation failed: SSL: (-1) accept fail protocol error : error:00000001:lib(0):func(0):reason(1) : undefined reason.

    So now I am lost. The ciphersuite/OpenSSL translation vs. IANA is very complex. And the way it is used in SMG is not transparant to any user. That's why I consider this as a developer issue. No user can do this without the knowledge of the SMG developers.

  • 0   in reply to 

    Thanks.  Let me get that added to the defect.  Pam