Jorge Batres
asked on
Removing DES and 3DES ciphers in linux RedHat 6.8
Hi, I need help removing block cipher algorithms with block size of 64 bits like (DES and 3DES) birthday attack known as Sweet32, in Linux RedHat Enterprise 6.8. I need this for PCI compliance, but I'm not sure which files I need to edit in order to remove those ciphers. They are showing in scan results as warnings on ports 21, 465, 993, 995 and 8443. I use Plesk Onix as a control panel.
I have already edited /etc/nginx/conf.d/ssl.conf and /etc/httpd/conf.d/ssl.conf but they are still showing in the ports mention before.
Please help.
Thanks,
Jorge
I have already edited /etc/nginx/conf.d/ssl.conf
Please help.
Thanks,
Jorge
IN addition to the above, you could disable ciphers system wide by editing the OpenSSL.conf file.
Usually, you have to reload/restart the web server after this type of change.
Are you disabling protocols sslv2, sslv3, tls10?
These configs are read in during start of service. Sone changes can be applied by reload, some require a stop/start.....
Usually, you have to reload/restart the web server after this type of change.
Are you disabling protocols sslv2, sslv3, tls10?
These configs are read in during start of service. Sone changes can be applied by reload, some require a stop/start.....
Elaborating a bit:
Ftp server: 21,
Mailserver: 465,
imaps: 993,
pops: 995 and
Apache? / HaProxy? ...8443?
The 465, 993 and 995 might be proxied by nginx, then you have to check the mail { } sections there.
Also disable SSL2 & 3 as mentioned before as those are broken by now.
(And be sure your SSL library is up to date.)
Dont forget to get your SSL certificates to at least use SHA-256 hashes or they will be unusable soon.
Here is an nginx spec:
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # required by SNI, upto SSL3 broken
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA25 6:ECDHE-EC DSA-AES128 -GCM-SHA25 6:ECDHE-RS A-AES256-G CM-SHA384: ECDHE-ECDS A-AES256-G CM-SHA384: DHE-RSA-AE S128-GCM-S HA256:DHE- DSS-AES128 -GCM-SHA25 6:kEDH+AES GCM:ECDHE- RSA-AES128 -SHA256:EC DHE-ECDSA- AES128-SHA 256:ECDHE- RSA-AES256 -SHA384:EC DHE-ECDSA- AES256-SHA 384:DHE-RS A-AES128-S HA256:DHE- RSA-AES128 -SHA:DHE-D SS-AES128- SHA256:DHE -RSA-AES25 6-SHA256:A ES128-GCM- SHA256:AES 256-GCM-SH A384:AES12 8:AES256:H IGH:!aNULL :!eNULL:!E XPORT40:!E XPORT56:!E XPORT:!DES :!3DES:!MD 5:!PSK:!RC 4;
ssl_prefer_server_ciphers on;
Ftp server: 21,
Mailserver: 465,
imaps: 993,
pops: 995 and
Apache? / HaProxy? ...8443?
The 465, 993 and 995 might be proxied by nginx, then you have to check the mail { } sections there.
Also disable SSL2 & 3 as mentioned before as those are broken by now.
(And be sure your SSL library is up to date.)
Dont forget to get your SSL certificates to at least use SHA-256 hashes or they will be unusable soon.
Here is an nginx spec:
ssl_session_timeout 5m;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # required by SNI, upto SSL3 broken
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA25
ssl_prefer_server_ciphers on;
ASKER
Thank you for your responses, I have edited those files before, but in two separate scans these ciphers are still showing. Could there be any other files that might includes these ciphers server wide?
Thanks,
Jorge
Thanks,
Jorge
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thank you, it seems as pop3 and imap are among the ones listening, I just need to know where their config files are located
lsof -i:995
lsof -i:993
This will answer which application is serving it courier, postfix, dovcot, exim, etc. once you identify what is serving, locating the config might be come clearer if it is not in /etc
lsof -p pid_from_lsof
Look for open config files In the resulting list.
.....
lsof -i:993
This will answer which application is serving it courier, postfix, dovcot, exim, etc. once you identify what is serving, locating the config might be come clearer if it is not in /etc
lsof -p pid_from_lsof
Look for open config files In the resulting list.
.....
nginx might as well proxy those.
netstat -antp
should give you a list of all processes id + running program with a TCP connection. (the p does the trick).
netstat -antp
should give you a list of all processes id + running program with a TCP connection. (the p does the trick).
ASKER
This is the result I got from those commands. I tried to challenge the results with scanning company and they denied it saying it was a legitimate warning and that the ciphers were still showing in these ports.
I think I need the command to close port 21 as I'v set up the server to use port 22 for secure ftp.
Also I need to find the files to edit ciphers on imaps and pcsync-https
[root@web ~]# lsof -i:995
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertc 15408 root 3u IPv6 30350204 0t0 TCP *:pop3s (LISTEN)
[root@web ~]# lsof -i:993
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertl 13674 root 0u IPv6 31208574 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1257 (ESTABLISHED)
couriertl 13677 root 0u IPv6 31208577 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1256 (ESTABLISHED)
couriertl 13697 root 0u IPv6 31208706 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1275 (ESTABLISHED)
couriertl 13698 root 0u IPv6 31208707 0t0 TCP web.vacationpeople.net:ima ps->47.203 .104.211:6 1276 (ESTABLISHED)
couriertc 15279 root 3u IPv6 30350035 0t0 TCP *:imaps (LISTEN)
[root@web ~]#
[root@web ~]# lsof -i:21
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 9528 root 5u IPv6 29879964 0t0 TCP *:ftp (LISTEN)
[root@web ~]# lsof -i:8443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sw-cp-ser 19694 root 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 19694 root 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
Thank you for your help with this.
Jorge
I think I need the command to close port 21 as I'v set up the server to use port 22 for secure ftp.
Also I need to find the files to edit ciphers on imaps and pcsync-https
[root@web ~]# lsof -i:995
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertc 15408 root 3u IPv6 30350204 0t0 TCP *:pop3s (LISTEN)
[root@web ~]# lsof -i:993
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
couriertl 13674 root 0u IPv6 31208574 0t0 TCP web.vacationpeople.net:ima
couriertl 13677 root 0u IPv6 31208577 0t0 TCP web.vacationpeople.net:ima
couriertl 13697 root 0u IPv6 31208706 0t0 TCP web.vacationpeople.net:ima
couriertl 13698 root 0u IPv6 31208707 0t0 TCP web.vacationpeople.net:ima
couriertc 15279 root 3u IPv6 30350035 0t0 TCP *:imaps (LISTEN)
[root@web ~]#
[root@web ~]# lsof -i:21
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
xinetd 9528 root 5u IPv6 29879964 0t0 TCP *:ftp (LISTEN)
[root@web ~]# lsof -i:8443
COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME
sw-cp-ser 19694 root 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 19694 root 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 12u IPv4 21678480 0t0 TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server 14u IPv6 21678482 0t0 TCP *:pcsync-https (LISTEN)
Thank you for your help with this.
Jorge
ASKER
I also ran this command and I can see that DES ciphers are still in the server.
nmap --script ssl-enum-ciphers -p 21 "000.00.000.00"
results for ports 21, 993, 995 and 8443
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:33 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 21 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:36 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
21/tcp open ftp
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 993 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:37 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
993/tcp open imaps
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 995 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:38 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
995/tcp open pop3s
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 8443 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:39 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000034s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_128_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_128_G CM_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA - strong
| TLS_DHE_RSA_WITH_AES_256_C BC_SHA256 - strong
| TLS_DHE_RSA_WITH_AES_256_G CM_SHA384 - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 128_CBC_SH A - strong
| TLS_DHE_RSA_WITH_CAMELLIA_ 256_CBC_SH A - strong
| TLS_ECDHE_RSA_WITH_3DES_ED E_CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_128 _CBC_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_128 _GCM_SHA25 6 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA - strong
| TLS_ECDHE_RSA_WITH_AES_256 _CBC_SHA38 4 - strong
| TLS_ECDHE_RSA_WITH_AES_256 _GCM_SHA38 4 - strong
| TLS_RSA_WITH_3DES_EDE_CBC_ SHA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA - strong
| TLS_RSA_WITH_AES_128_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_128_GCM_S HA256 - strong
| TLS_RSA_WITH_AES_256_CBC_S HA - strong
| TLS_RSA_WITH_AES_256_CBC_S HA256 - strong
| TLS_RSA_WITH_AES_256_GCM_S HA384 - strong
| TLS_RSA_WITH_CAMELLIA_128_ CBC_SHA - strong
| TLS_RSA_WITH_CAMELLIA_256_ CBC_SHA - strong
| compressors:
| NULL
|_ least strength: strong
nmap --script ssl-enum-ciphers -p 21 "000.00.000.00"
results for ports 21, 993, 995 and 8443
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:33 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2:
| ciphers:
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 21 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:36 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT STATE SERVICE
21/tcp open ftp
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_G
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_G
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_GCM_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_GCM_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 993 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:37 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
993/tcp open imaps
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_G
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_G
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_GCM_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_GCM_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 995 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:38 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT STATE SERVICE
995/tcp open pop3s
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_G
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_G
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_GCM_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_GCM_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
|_ least strength: strong
Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 8443 "000.00.000.00"
Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:39 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000034s latency).
PORT STATE SERVICE
8443/tcp open https-alt
| ssl-enum-ciphers:
| TLSv1.1:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
| TLSv1.2:
| ciphers:
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_C
| TLS_DHE_RSA_WITH_AES_128_G
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_C
| TLS_DHE_RSA_WITH_AES_256_G
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_DHE_RSA_WITH_CAMELLIA_
| TLS_ECDHE_RSA_WITH_3DES_ED
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_128
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_ECDHE_RSA_WITH_AES_256
| TLS_RSA_WITH_3DES_EDE_CBC_
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_CBC_S
| TLS_RSA_WITH_AES_128_GCM_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_CBC_S
| TLS_RSA_WITH_AES_256_GCM_S
| TLS_RSA_WITH_CAMELLIA_128_
| TLS_RSA_WITH_CAMELLIA_256_
| compressors:
| NULL
|_ least strength: strong
FTP use the lsof -i:21 to identify which FTP server you are running
The same for IMAPs
8443 is likely tomcat/Catalina if not Apache configured to listen on this port for other reason meaning beside the SSL.conf you have <something>.conf that address configure Apache to listen on port 8443.
From the available ciphers/protocols I can not tell which application...is ...
The same for IMAPs
8443 is likely tomcat/Catalina if not Apache configured to listen on this port for other reason meaning beside the SSL.conf you have <something>.conf that address configure Apache to listen on port 8443.
From the available ciphers/protocols I can not tell which application...is ...
DES isn't there any more 3DES is giving 128 bits of key..., to disable 3DES follow the rules of engagement to disable them per service.
Changing the portnumer of FTP to 22 won't help, port 22 is SSH... so if you dropped an ftp server and started using SSH (sftp = rcp over ssh) then it is ok.
You have show the output of lsof -i, that still doesn't show the service process. of commandline there of..
For cuourier (pops, imaps, 993, 995) check out the config files in /etc/courier-imap/ or /etc/courier/ directories.
(depends on build method).
There sould be an imap-ssl and a pop-ssl file.
that file contains section along:
Make sure that you setup to disable SSL2 and SSL3
En the allowed string of protocols, setup a decent DH negotiation (>2048 bits).
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - all protocols (including TLS 1.x protocols)
# TLS1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# Leave it unset to use any protocol except SSL 2.
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="SSLv3:TLS v1:HIGH:!L OW:!MEDIUM :!EXP:!NUL L:!aNULL@S TRENGTH"
#
# GnuTLS:
#
TLS_CIPHER_LIST="HIGH:MEDI UM"
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
# is not included
# ALL -- all ciphers except the NULL cipher
##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# See GnuTLS documentation, gnutls_priority_init(3) for additional
# documentation.
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
# It takes the same values for OpenSSL as TLS_PROTOCOL
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
Changing the portnumer of FTP to 22 won't help, port 22 is SSH... so if you dropped an ftp server and started using SSH (sftp = rcp over ssh) then it is ok.
You have show the output of lsof -i, that still doesn't show the service process. of commandline there of..
For cuourier (pops, imaps, 993, 995) check out the config files in /etc/courier-imap/ or /etc/courier/ directories.
(depends on build method).
There sould be an imap-ssl and a pop-ssl file.
that file contains section along:
Make sure that you setup to disable SSL2 and SSL3
En the allowed string of protocols, setup a decent DH negotiation (>2048 bits).
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version. The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - all protocols (including TLS 1.x protocols)
# TLS1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# Leave it unset to use any protocol except SSL 2.
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="SSLv3:TLS
#
# GnuTLS:
#
TLS_CIPHER_LIST="HIGH:MEDI
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
# is not included
# ALL -- all ciphers except the NULL cipher
##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# See GnuTLS documentation, gnutls_priority_init(3) for additional
# documentation.
##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
# It takes the same values for OpenSSL as TLS_PROTOCOL
##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library. In most situations you can leave TLS_CIPHER_LIST
# undefined
Oh, Missed the LSOF post.
Do you have Courier-MTA deployed, or do you as noci pointed out use courier-imap/Courier-compo nents?
I think courier-imap includes the IMAP/POP handlers. configs.....
Do you have Courier-MTA deployed, or do you as noci pointed out use courier-imap/Courier-compo
I think courier-imap includes the IMAP/POP handlers. configs.....
ASKER
First of all, thank you both for all the help, I use use courier-imap and I just tried to modify imapd-ssl and pop3d-ssl but no changes so far. When I run the command to show the ciphers list, 3DES still shows under TLSv1.1 and TLSv1.2
Could you post what changes you made and restarted the services. At times, certain changes do not take effect on reload of config...
ASKER
This are the files under courier-imap directory:
[root@web courier-imap]# ls -l
total 244
drwxr-xr-x 2 root root 4096 Nov 29 15:59 authlib
-rw------- 1 root root 3398 Nov 22 17:03 courier.pem
-rw-r--r-- 1 root root 15625 Nov 29 15:59 imapd
-rw------- 1 root root 348 Oct 26 04:11 imapd.cnf
-rw------- 1 root root 15625 Oct 26 04:11 imapd.dist
-rw-r--r-- 1 root root 168 Nov 21 13:22 imapd.pci.1
-rw-r--r-- 1 root root 173 Nov 21 13:22 imapd.pci.2
-rw-r--r-- 1 root root 39 Nov 21 13:22 imapd.pci.3
-rw-r--r-- 1 root root 49 Nov 21 13:22 imapd.pci.4
-rw-r--r-- 1 root root 9977 Dec 1 10:00 imapd-ssl
-rw-r--r-- 1 root root 9955 Dec 1 09:46 imapd-ssl-bak
-rw------- 1 root root 10020 Oct 26 04:11 imapd-ssl.dist
-rw------- 1 root root 10020 Aug 19 2015 imapd-ssl.rpmnew
-rw-r--r-- 1 root root 9522 Sep 24 08:14 imapd-ssl.rpmsave
-rw-r--r-- 1 root root 4113 Nov 29 15:59 pop3d
-rw------- 1 root root 348 Oct 26 04:11 pop3d.cnf
-rw------- 1 root root 4098 Oct 26 04:11 pop3d.dist
-rw-r--r-- 1 root root 54 Nov 21 13:22 pop3d.pci.1
-rw-r--r-- 1 root root 59 Nov 21 13:22 pop3d.pci.2
-rw-r--r-- 1 root root 27 Nov 21 13:22 pop3d.pci.3
-rw-r--r-- 1 root root 32 Nov 21 13:22 pop3d.pci.4
-rw------- 1 root root 4098 Aug 19 2015 pop3d.rpmnew
-rw-r--r-- 1 root root 4125 Sep 24 08:14 pop3d.rpmsave
-rw-r--r-- 1 root root 8997 Dec 1 09:59 pop3d-ssl
-rw-r--r-- 1 root root 8975 Dec 1 09:47 pop3d-ssl-bak
-rw------- 1 root root 9067 Oct 26 04:11 pop3d-ssl.dist
-rw------- 1 root root 9067 Aug 19 2015 pop3d-ssl.rpmnew
-rw-r--r-- 1 root root 8542 Sep 24 08:14 pop3d-ssl.rpmsave
-rw-r--r-- 1 root root 516 Oct 26 04:11 quotawarnmsg.example
drwxr-xr-x 2 root root 4096 Nov 20 13:25 shared
drwxr-xr-x 2 root root 4096 Oct 26 04:11 shared.tmp
[root@web courier-imap]#
I made backups of both imapd-ssl and pop3d-ssl before doing any modifications.
[root@web courier-imap]# ls -l
total 244
drwxr-xr-x 2 root root 4096 Nov 29 15:59 authlib
-rw------- 1 root root 3398 Nov 22 17:03 courier.pem
-rw-r--r-- 1 root root 15625 Nov 29 15:59 imapd
-rw------- 1 root root 348 Oct 26 04:11 imapd.cnf
-rw------- 1 root root 15625 Oct 26 04:11 imapd.dist
-rw-r--r-- 1 root root 168 Nov 21 13:22 imapd.pci.1
-rw-r--r-- 1 root root 173 Nov 21 13:22 imapd.pci.2
-rw-r--r-- 1 root root 39 Nov 21 13:22 imapd.pci.3
-rw-r--r-- 1 root root 49 Nov 21 13:22 imapd.pci.4
-rw-r--r-- 1 root root 9977 Dec 1 10:00 imapd-ssl
-rw-r--r-- 1 root root 9955 Dec 1 09:46 imapd-ssl-bak
-rw------- 1 root root 10020 Oct 26 04:11 imapd-ssl.dist
-rw------- 1 root root 10020 Aug 19 2015 imapd-ssl.rpmnew
-rw-r--r-- 1 root root 9522 Sep 24 08:14 imapd-ssl.rpmsave
-rw-r--r-- 1 root root 4113 Nov 29 15:59 pop3d
-rw------- 1 root root 348 Oct 26 04:11 pop3d.cnf
-rw------- 1 root root 4098 Oct 26 04:11 pop3d.dist
-rw-r--r-- 1 root root 54 Nov 21 13:22 pop3d.pci.1
-rw-r--r-- 1 root root 59 Nov 21 13:22 pop3d.pci.2
-rw-r--r-- 1 root root 27 Nov 21 13:22 pop3d.pci.3
-rw-r--r-- 1 root root 32 Nov 21 13:22 pop3d.pci.4
-rw------- 1 root root 4098 Aug 19 2015 pop3d.rpmnew
-rw-r--r-- 1 root root 4125 Sep 24 08:14 pop3d.rpmsave
-rw-r--r-- 1 root root 8997 Dec 1 09:59 pop3d-ssl
-rw-r--r-- 1 root root 8975 Dec 1 09:47 pop3d-ssl-bak
-rw------- 1 root root 9067 Oct 26 04:11 pop3d-ssl.dist
-rw------- 1 root root 9067 Aug 19 2015 pop3d-ssl.rpmnew
-rw-r--r-- 1 root root 8542 Sep 24 08:14 pop3d-ssl.rpmsave
-rw-r--r-- 1 root root 516 Oct 26 04:11 quotawarnmsg.example
drwxr-xr-x 2 root root 4096 Nov 20 13:25 shared
drwxr-xr-x 2 root root 4096 Oct 26 04:11 shared.tmp
[root@web courier-imap]#
I made backups of both imapd-ssl and pop3d-ssl before doing any modifications.
ASKER
Sorry, I don't know how to copy an entire line with nano, so I can only copy and paste what I can see stretching terminal to the width of my monitor.
image-ssl:
#TLS_CIPHER_LIST=EECDH+AES GCM+AES128 :EECDH+AES GCM+AES256 :EDH+AESGC M+AES128:E DH+AESGCM+ AES256:EEC DH+SHA256+ AES128:EEC DH+SHA384+ AES256:EDH +SHA256+AE S128:EDH+S HA256+AES2 56:EECDH+S HA1+AES128 :EECDH+SHA 1+AES256:E DH+SHA1+AE S128:EDH+S HA1+AES256 :EECDH+HIG H:EDH+HIGH :AESGCM+AE S128:AESGC M+AES256:S HA256+AES1 28:SHA256+ AES256:SHA 1+AES128:S HA1+AES256 :HIGH:!aNU LL:!eNULL: !EXPORT:!D ES:!RC4:!M D5:!PSK:!K RB5:!aECDH :!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv 1.1+
TLS_TRUSTCERTS=/etc/courie r-imap/cou rier.pem
pop3d-ssl:
#TLS_CIPHER_LIST=EECDH+AES GCM+AES128 :EECDH+AES GCM+AES256 :EDH+AESGC M+AES128:E DH+AESGCM+ AES256:EEC DH+SHA256+ AES128:EEC DH+SHA384+ AES256:EDH +SHA256+AE S128:EDH+S HA256+AES2 56:EECDH+S HA1+AES128 :EECDH+SHA 1+AES256:E DH+SHA1+AE S128:EDH+S HA1+AES256 :EECDH+HIG H:EDH+HIGH :AESGCM+AE S128:AESGC M+AES256:S HA256+AES1 28:SHA256+ AES256:SHA 1+AES128:S HA1+AES256 :HIGH:!aNU LL:!eNULL: !EXPORT:!D ES:!RC4:!M D5:!PSK:!K RB5:!aECDH :!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv 1.1+
TLS_TRUSTCERTS=/etc/courie r-imap/cou rier.pem
image-ssl:
#TLS_CIPHER_LIST=EECDH+AES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv
TLS_TRUSTCERTS=/etc/courie
pop3d-ssl:
#TLS_CIPHER_LIST=EECDH+AES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv
TLS_TRUSTCERTS=/etc/courie
ASKER
So I just commented out TLS_CIPHERS_LIST and changed it to HIGH and restarted the service
Both your commented out TLS_cipher_lists the last items in the list is +3des if you do not want 3des available, replace it with -3DES and test.
and restart the service.
TLS_LIST_cipher=HIGH is defaulting to high bit requirement, but will not restrict the available ciphers that match the high bit.
add a -3des HIGH:-3DES on the service that the logs indicate is used less.
Then run the nmap to see available ciphers....
THE SSL part might now offer SSLv2andSSLv3 :!SSLv2!:SSLV3 might need to be added to the TLS_CIPHER_LIST
and restart the service.
TLS_LIST_cipher=HIGH is defaulting to high bit requirement, but will not restrict the available ciphers that match the high bit.
add a -3des HIGH:-3DES on the service that the logs indicate is used less.
Then run the nmap to see available ciphers....
THE SSL part might now offer SSLv2andSSLv3 :!SSLv2!:SSLV3 might need to be added to the TLS_CIPHER_LIST
ASKER
I made those changes and restarted the services and they are still showing.
ASKER
I just ran this command in my server and got this:
[root@web ~]# openssl ciphers -v '3DES:+RSA'
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
[root@web ~]#
[root@web ~]# openssl ciphers -v '3DES:+RSA'
ECDHE-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=RSA Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA SSLv3 Kx=DH Au=RSA Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA SSLv3 Kx=DH Au=DSS Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA SSLv3 Kx=ECDH Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA SSLv3 Kx=DH Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA SSLv3 Kx=PSK Au=PSK Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5 SSLv3 Kx=KRB5 Au=KRB5 Enc=3DES(168) Mac=MD5
DES-CBC3-MD5 SSLv2 Kx=RSA Au=RSA Enc=3DES(168) Mac=MD5
DES-CBC3-SHA SSLv3 Kx=RSA Au=RSA Enc=3DES(168) Mac=SHA1
[root@web ~]#
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
noci I think we are going in the right direction!
I was able to remove the ciphers from ports 993, 995 and 21, now I'm just struggling with port 8443, I think it is httpd where I go to conf.d and under that directory, I have edited ssl.conf but nothing.
I was able to remove the ciphers from ports 993, 995 and 21, now I'm just struggling with port 8443, I think it is httpd where I go to conf.d and under that directory, I have edited ssl.conf but nothing.
ASKER
I ran netstat -pant and got:
tcp 0 0 :::8443 :::* LISTEN 19694/sw-cp-server
tcp 0 0 :::8443 :::* LISTEN 19694/sw-cp-server
Not sure what this server is, what are it's config files?
There look for SSL / TLS settings.
somewhere below: /etc/sw-cp-server/???
try to find the right file(s) with:
egrep -lri '(ssl|tls)' /etc/sw-cp-server
There look for SSL / TLS settings.
somewhere below: /etc/sw-cp-server/???
try to find the right file(s) with:
egrep -lri '(ssl|tls)' /etc/sw-cp-server
ASKER
[root@web conf.d]# egrep -lri '(ssl|tls)' /etc/sw-cp-server
/etc/sw-cp-server/conf.d/p lesk.conf
/etc/sw-cp-server/conf.d/i pv6_ports. inc
/etc/sw-cp-server/conf.d/s sl.conf
[root@web conf.d]#
I already tried editing cons.d/ssl.conf but no luck
/etc/sw-cp-server/conf.d/p
/etc/sw-cp-server/conf.d/i
/etc/sw-cp-server/conf.d/s
[root@web conf.d]#
I already tried editing cons.d/ssl.conf but no luck
ASKER
This is what I edited on /etc/sw-cp-server/conf.d/s sl.conf
ssl_ciphers EECDH+AESGCM+AES128:EECDH+ AESGCM+AES 256:EDH+AE SGCM+AES12 8:EDH+AESG CM+AES256: EECDH+SHA2 56+AES128: EECDH+SHA3 84+AES256: EDH+SHA256 +AES128:ED H+SHA256+A ES256:EECD H+SHA1+AES 128:EECDH+ SHA1+AES25 6:EDH+SHA1 +AES128:ED H+SHA1+AES 256:EECDH+ HIGH:EDH+H IGH:AESGCM +AES128:AE SGCM+AES25 6:SHA256+A ES128:SHA2 56+AES256: SHA1+AES12 8:SHA1+AES 256:HIGH:! aNULL:!eNU LL:!EXPORT :!DES:!RC4 :!MD5:!PSK :!KRB5:!aE CDH:!EDH+3 DES:!3DES: !LOW;
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparam s2048.pem;
ssl_ciphers EECDH+AESGCM+AES128:EECDH+
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparam
did you restart the server after editing?
ASKER
I just changed the +3DES to -3DES but no change
ASKER
Not the hold server but I did restart the httpd service
the service on port 8443 needs to be restarted!
ASKER
I believe it is httpd which is the one I have restarted along with apache and nginx
the program running there is called sw-cp-server... not httpd or nginx...
You may find it with:
grep -ri sw-cp-server /etc/init.d/
Not sure where it is with systemd
grep -ri sw-cp-server /etc/init.d/
Not sure where it is with systemd
ASKER
That was it! Thanks!!!! I ran: service sw-cp-server restart and checked again and the 3DES ciphers are gone!
I'm running the 2 scans that were giving me the bad results and I will update this question and close it.
Thanks you so much to both.
I'm running the 2 scans that were giving me the bad results and I will update this question and close it.
Thanks you so much to both.
ASKER
Thank you so much for your help, the scans PASSED!
Note, editing /etc/OpenSSL.conf is a system wide change that would apply to all dynamically linked to the OpenSSL libraries.
Glad to hear you've got it resolved.
Glad to hear you've got it resolved.
ASKER
Thank you very much to both of you for your guidance in resolving this issue!
/etc/nginx/nginx.conf resp/ /etc/httpd/httpd.conf
Most server have a configfile, all self respecting server allow to setup SSL settings, most also have a way to specify SSL Protocols.
But it is server dependant.... as the software needs to read the config file and setup the right calls to the ssl stack.