We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

Removing DES and 3DES ciphers in linux RedHat 6.8

Jorge Batres
Jorge Batres asked
on
Medium Priority
8,353 Views
Last Modified: 2016-12-02
Hi, I need help removing block cipher algorithms with block size of 64 bits like (DES and 3DES) birthday attack known as Sweet32, in Linux RedHat Enterprise 6.8. I need this for PCI compliance, but I'm not sure which files I need to edit in order to remove those ciphers. They are showing in scan results as warnings on ports 21, 465, 993, 995 and 8443. I use Plesk Onix as a control panel.
I have already edited /etc/nginx/conf.d/ssl.conf and /etc/httpd/conf.d/ssl.conf but they are still showing in the ports mention before.

Please help.

Thanks,

Jorge
Comment
Watch Question

nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Are those files actualy read/included by the config of the servers.
/etc/nginx/nginx.conf   resp/ /etc/httpd/httpd.conf

Most server have a configfile, all self respecting server allow to setup SSL settings, most also have a way to specify SSL Protocols.
But it is server dependant.... as the software needs to read the config file and setup the right calls to the ssl stack.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
IN addition to the above, you could disable ciphers system wide by editing the OpenSSL.conf file.

Usually, you have to reload/restart the web server after this type of change.
Are you disabling protocols sslv2, sslv3, tls10?
These configs are read in during start of service. Sone changes can be applied by reload, some require a stop/start.....
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Elaborating a bit:

Ftp server: 21,
Mailserver: 465,
imaps: 993,
pops: 995 and
Apache? / HaProxy? ...8443?

The 465, 993 and 995 might be proxied by nginx, then you have to check the mail { }  sections there.

Also disable SSL2 & 3 as mentioned before as those are broken by now.
(And be sure your SSL library is up to date.)
Dont forget to get your SSL certificates to at least use SHA-256 hashes or they will be unusable soon.

Here is an nginx spec:
        ssl_session_timeout 5m;
        ssl_session_cache builtin:1000 shared:SSL:10m;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 ; # required by SNI, upto SSL3 broken
        ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT40:!EXPORT56:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

Author

Commented:
Thank you for your responses, I have edited those files before, but in two separate scans these ciphers are still showing. Could there be any other files that might includes these ciphers server wide?

Thanks,

Jorge
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Which services are you testing?

openssl s_client -connect ip:port optional parameters.


ssl.conf might be the right one, but then again you may have another config file that actually is the one where VirtualHost is defined and ciphers/parameters are set.
You might have a completely different application secure SMTP, IMAP, POP each has their own config and each requires those options to be disabled.

Does the system have multiple secure sites?
netstat -an | grep -i LISTEN
ps -ef | grep httpd
lsof -p PID | grep -i tcp

This will show you all TCP ports on which httpd is bound.

lsof -i:port
this will report the application/programs bound to this port.
You can then consult the application configuration where the cipher is define...

Double check that you are not using a reverse proxy on which the SSL connection terminates meaning you would have to adjust the cipher on the reverse proxy/loadbalancer if in use to prevent ......

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts

Author

Commented:
Thank you, it seems as pop3 and imap are among the ones listening, I just need to know where their config files are located
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
lsof -i:995
lsof -i:993
This will answer which application is serving it courier, postfix, dovcot, exim, etc. once you identify what is serving, locating the config might be come clearer if it is not in /etc
lsof -p pid_from_lsof
Look for open config files In the resulting list.

.....
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
nginx might as well proxy those.

netstat -antp

should give you a list of all processes id + running program with a TCP connection. (the p does the trick).

Author

Commented:
This is the result I got from those commands. I tried to challenge  the results with scanning company and they denied it saying it was a legitimate warning and that the ciphers were still showing in these ports.

I think I need the command to close port 21 as I'v set up the server to use port 22 for secure ftp.

Also I need to find the files to edit ciphers on imaps and pcsync-https

[root@web ~]# lsof -i:995
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
couriertc 15408 root    3u  IPv6 30350204      0t0  TCP *:pop3s (LISTEN)

[root@web ~]# lsof -i:993
COMMAND     PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
couriertl 13674 root    0u  IPv6 31208574      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61257 (ESTABLISHED)
couriertl 13677 root    0u  IPv6 31208577      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61256 (ESTABLISHED)
couriertl 13697 root    0u  IPv6 31208706      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61275 (ESTABLISHED)
couriertl 13698 root    0u  IPv6 31208707      0t0  TCP web.vacationpeople.net:imaps->47.203.104.211:61276 (ESTABLISHED)
couriertc 15279 root    3u  IPv6 30350035      0t0  TCP *:imaps (LISTEN)
[root@web ~]#

[root@web ~]# lsof -i:21
COMMAND  PID USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
xinetd  9528 root    5u  IPv6 29879964      0t0  TCP *:ftp (LISTEN)
[root@web ~]# lsof -i:8443
COMMAND     PID         USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
sw-cp-ser 19694         root   12u  IPv4 21678480      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 19694         root   14u  IPv6 21678482      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server   12u  IPv4 21678480      0t0  TCP *:pcsync-https (LISTEN)
sw-cp-ser 29591 sw-cp-server   14u  IPv6 21678482      0t0  TCP *:pcsync-https (LISTEN)

Thank you for your help with this.
Jorge

Author

Commented:
I also ran this command and I can see that DES ciphers are still in the server.

nmap --script ssl-enum-ciphers -p 21  "000.00.000.00"

results for ports 21, 993, 995 and 8443

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:33 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT    STATE SERVICE
443/tcp open  https
| ssl-enum-ciphers:
|   TLSv1.2:
|     ciphers:
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 21  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:36 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000030s latency).
PORT   STATE SERVICE
21/tcp open  ftp
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.90 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 993  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:37 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT    STATE SERVICE
993/tcp open  imaps
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.53 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 995  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:38 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000029s latency).
PORT    STATE SERVICE
995/tcp open  pop3s
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong

Nmap done: 1 IP address (1 host up) scanned in 0.52 seconds
[root@web ~]# nmap --script ssl-enum-ciphers -p 8443  "000.00.000.00"

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 11:39 CST
Nmap scan report for server (000.00.000.00)
Host is up (0.000034s latency).
PORT     STATE SERVICE
8443/tcp open  https-alt
| ssl-enum-ciphers:
|   TLSv1.1:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|   TLSv1.2:
|     ciphers:
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 - strong
|       TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_3DES_EDE_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA - strong
|       TLS_RSA_WITH_AES_128_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_128_GCM_SHA256 - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA - strong
|       TLS_RSA_WITH_AES_256_CBC_SHA256 - strong
|       TLS_RSA_WITH_AES_256_GCM_SHA384 - strong
|       TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - strong
|       TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - strong
|     compressors:
|       NULL
|_  least strength: strong
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
FTP use the lsof -i:21 to identify which FTP server you are running
The same for IMAPs
8443 is likely tomcat/Catalina if not Apache configured to listen on this port for other reason meaning beside the SSL.conf you have <something>.conf that address configure Apache to listen on port 8443.


From the available ciphers/protocols I can not tell which application...is ...
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
DES isn't there any more 3DES is giving 128 bits of key..., to disable 3DES follow the rules of engagement to disable them per service.
Changing the portnumer of FTP to 22 won't help, port 22 is SSH... so if you dropped an ftp server and started using SSH (sftp = rcp over ssh) then it is ok.

You have show the output of lsof -i, that still doesn't show the service process. of commandline there of..
For cuourier (pops, imaps, 993, 995) check out the config files in /etc/courier-imap/  or /etc/courier/ directories.
(depends on build method).
There sould be an imap-ssl and a pop-ssl  file.
that file contains section along:

Make sure that you setup to disable SSL2 and SSL3
En the allowed string of protocols, setup a decent DH negotiation (>2048 bits).
##NAME: TLS_PROTOCOL:0
#
# TLS_PROTOCOL sets the protocol version.  The possible versions are:
#
# OpenSSL:
#
# SSL3 - SSLv3
# SSL23 - all protocols (including TLS 1.x protocols)
# TLS1 - TLS1
# TLSv1.1 - TLS1.1
# TLSv1.2 - TLS1.2
#
# Leave it unset to use any protocol except SSL 2.

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
#
# OpenSSL:
#
# TLS_CIPHER_LIST="SSLv3:TLSv1:HIGH:!LOW:!MEDIUM:!EXP:!NULL:!aNULL@STRENGTH"
#
# GnuTLS:
#
TLS_CIPHER_LIST="HIGH:MEDIUM"
#
# The actual list of available ciphers depend on the options GnuTLS was
# compiled against. The possible ciphers are:
#
# AES256, 3DES, AES128, ARC128, ARC40, RC2, DES, NULL
#
# Also, the following aliases:
#
# HIGH -- all ciphers that use more than a 128 bit key size
# MEDIUM -- all ciphers that use a 128 bit key size
# LOW -- all ciphers that use fewer than a 128 bit key size, the NULL cipher
#        is not included
# ALL -- all ciphers except the NULL cipher

##NAME: TLS_MIN_DH_BITS:0
#
# TLS_MIN_DH_BITS=n
#
# GnuTLS only:
#
# Set the minimum number of acceptable bits for a DH key exchange.
#
# See GnuTLS documentation, gnutls_priority_init(3) for additional
# documentation.

##NAME: TLS_STARTTLS_PROTOCOL:0
#
# TLS_STARTTLS_PROTOCOL is used instead of TLS_PROTOCOL for the IMAP STARTTLS
# extension, as opposed to IMAP over SSL on port 993.
#
# It takes the same values for OpenSSL as TLS_PROTOCOL

##NAME: TLS_CIPHER_LIST:0
#
# TLS_CIPHER_LIST optionally sets the list of ciphers to be used by the
# OpenSSL library.  In most situations you can leave TLS_CIPHER_LIST
# undefined
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Oh, Missed the LSOF post.

Do you have Courier-MTA deployed, or do you as noci pointed out use courier-imap/Courier-components?
I think courier-imap includes the IMAP/POP handlers. configs.....

Author

Commented:
First of all, thank you both for all the help, I use use courier-imap and I just tried to modify imapd-ssl and pop3d-ssl but no changes so far. When I run the command to show the ciphers list, 3DES still shows under TLSv1.1 and TLSv1.2
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Could you post what changes you made and restarted the services. At times, certain changes do not take effect on reload of config...

Author

Commented:
This are the files under courier-imap directory:

[root@web courier-imap]# ls -l
total 244
drwxr-xr-x 2 root root  4096 Nov 29 15:59 authlib
-rw------- 1 root root  3398 Nov 22 17:03 courier.pem
-rw-r--r-- 1 root root 15625 Nov 29 15:59 imapd
-rw------- 1 root root   348 Oct 26 04:11 imapd.cnf
-rw------- 1 root root 15625 Oct 26 04:11 imapd.dist
-rw-r--r-- 1 root root   168 Nov 21 13:22 imapd.pci.1
-rw-r--r-- 1 root root   173 Nov 21 13:22 imapd.pci.2
-rw-r--r-- 1 root root    39 Nov 21 13:22 imapd.pci.3
-rw-r--r-- 1 root root    49 Nov 21 13:22 imapd.pci.4
-rw-r--r-- 1 root root  9977 Dec  1 10:00 imapd-ssl
-rw-r--r-- 1 root root  9955 Dec  1 09:46 imapd-ssl-bak
-rw------- 1 root root 10020 Oct 26 04:11 imapd-ssl.dist
-rw------- 1 root root 10020 Aug 19  2015 imapd-ssl.rpmnew
-rw-r--r-- 1 root root  9522 Sep 24 08:14 imapd-ssl.rpmsave
-rw-r--r-- 1 root root  4113 Nov 29 15:59 pop3d
-rw------- 1 root root   348 Oct 26 04:11 pop3d.cnf
-rw------- 1 root root  4098 Oct 26 04:11 pop3d.dist
-rw-r--r-- 1 root root    54 Nov 21 13:22 pop3d.pci.1
-rw-r--r-- 1 root root    59 Nov 21 13:22 pop3d.pci.2
-rw-r--r-- 1 root root    27 Nov 21 13:22 pop3d.pci.3
-rw-r--r-- 1 root root    32 Nov 21 13:22 pop3d.pci.4
-rw------- 1 root root  4098 Aug 19  2015 pop3d.rpmnew
-rw-r--r-- 1 root root  4125 Sep 24 08:14 pop3d.rpmsave
-rw-r--r-- 1 root root  8997 Dec  1 09:59 pop3d-ssl
-rw-r--r-- 1 root root  8975 Dec  1 09:47 pop3d-ssl-bak
-rw------- 1 root root  9067 Oct 26 04:11 pop3d-ssl.dist
-rw------- 1 root root  9067 Aug 19  2015 pop3d-ssl.rpmnew
-rw-r--r-- 1 root root  8542 Sep 24 08:14 pop3d-ssl.rpmsave
-rw-r--r-- 1 root root   516 Oct 26 04:11 quotawarnmsg.example
drwxr-xr-x 2 root root  4096 Nov 20 13:25 shared
drwxr-xr-x 2 root root  4096 Oct 26 04:11 shared.tmp
[root@web courier-imap]#

I made backups of both imapd-ssl and pop3d-ssl before doing any modifications.

Author

Commented:
Sorry, I don't know how to copy an entire line with nano, so I can only copy and paste what I can see stretching terminal to the width of my monitor.

image-ssl:

#TLS_CIPHER_LIST=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv1.1+
TLS_TRUSTCERTS=/etc/courier-imap/courier.pem

pop3d-ssl:

#TLS_CIPHER_LIST=EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES
TLS_CIPHER_LIST=HIGH
TLS_STARTTLS_PROTOCOL=TLSv1.1+
TLS_TRUSTCERTS=/etc/courier-imap/courier.pem

Author

Commented:
So I just commented out TLS_CIPHERS_LIST and changed it to HIGH and restarted the service
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Both your commented out TLS_cipher_lists the last items in the list is +3des if you do not want 3des available, replace it with -3DES and test.
and restart the service.

TLS_LIST_cipher=HIGH is defaulting to high bit requirement, but will not restrict the available ciphers that match the high bit.
add a -3des HIGH:-3DES on the service that the logs indicate is used less.
Then run the nmap to see available ciphers....

THE SSL part might now offer SSLv2andSSLv3 :!SSLv2!:SSLV3 might need to be added to the TLS_CIPHER_LIST

Author

Commented:
I made those changes and restarted the services and they are still showing.

Author

Commented:
I just ran this command in my server and got this:

[root@web ~]# openssl ciphers -v '3DES:+RSA'
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
PSK-3DES-EDE-CBC-SHA    SSLv3 Kx=PSK      Au=PSK  Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-SHA       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=SHA1
KRB5-DES-CBC3-MD5       SSLv3 Kx=KRB5     Au=KRB5 Enc=3DES(168) Mac=MD5
DES-CBC3-MD5            SSLv2 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=MD5
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
[root@web ~]#
Software Engineer
CERTIFIED EXPERT
Distinguished Expert 2019
Commented:
Don't define TLS_PROTOCOLS if you do you only enable the mentioned one.... (and disable negotiation)

You should disable anything using the TLS_CIPHERS setting:
Disable anything you don't want... like !SSLv2:!SSLv3:!DES:!3DES:!LOW:
etc.
the same for other you don't want.... ! means NOT.....

Author

Commented:
noci I think we are going in the right direction!

I was able to remove the ciphers from ports 993, 995 and 21, now I'm just struggling with port 8443, I think it is httpd where I go to conf.d and under that directory, I have edited ssl.conf but nothing.

Author

Commented:
I ran netstat -pant and got:
tcp        0      0 :::8443                     :::*                        LISTEN      19694/sw-cp-server
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Not sure what this server is, what are it's config files?
There look for SSL / TLS settings.

somewhere below: /etc/sw-cp-server/???
try to find the right file(s) with:
egrep -lri '(ssl|tls)'  /etc/sw-cp-server

Author

Commented:
[root@web conf.d]# egrep -lri '(ssl|tls)'  /etc/sw-cp-server
/etc/sw-cp-server/conf.d/plesk.conf
/etc/sw-cp-server/conf.d/ipv6_ports.inc
/etc/sw-cp-server/conf.d/ssl.conf
[root@web conf.d]#

I already tried editing cons.d/ssl.conf but no luck

Author

Commented:
This is what I edited on /etc/sw-cp-server/conf.d/ssl.conf

ssl_ciphers EECDH+AESGCM+AES128:EECDH+AESGCM+AES256:EDH+AESGCM+AES128:EDH+AESGCM+AES256:EECDH+SHA256+AES128:EECDH+SHA384+AES256:EDH+SHA256+AES128:EDH+SHA256+AES256:EECDH+SHA1+AES128:EECDH+SHA1+AES256:EDH+SHA1+AES128:EDH+SHA1+AES256:EECDH+HIGH:EDH+HIGH:AESGCM+AES128:AESGCM+AES256:SHA256+AES128:SHA256+AES256:SHA1+AES128:SHA1+AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!KRB5:!aECDH:!EDH+3DES:!3DES:!LOW;
#ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /usr/local/psa/etc/dhparams2048.pem;
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
did you restart the server after editing?

Author

Commented:
I just changed the +3DES to -3DES but no change

Author

Commented:
Not the hold server but I did restart the httpd service
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
the service on port 8443 needs to be restarted!

Author

Commented:
I believe it is httpd which is the one I have restarted along with apache and nginx
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
the program running there is called sw-cp-server...  not httpd or nginx...
nociSoftware Engineer
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You may find it with:

grep -ri sw-cp-server /etc/init.d/

Not sure where it is with systemd

Author

Commented:
That was it! Thanks!!!! I ran: service sw-cp-server restart and checked again and the 3DES ciphers are gone!

I'm running the 2 scans that were giving me the bad results and I will update this question and close it.

Thanks you so much to both.

Author

Commented:
Thank you so much for your help, the scans PASSED!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Note, editing /etc/OpenSSL.conf is a system wide change that would apply to all dynamically linked to the OpenSSL libraries.
Glad to hear you've got it resolved.

Author

Commented:
Thank you very much to both of you for your guidance in resolving this issue!
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.