1 Topic by ired_mania

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Topic: 42873 ssl medium strength cipher suites supportd(sweet32)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
how can I mitigate below vulnerability in iredMail?
42873 ssl medium strength cipher suites supportd(sweet32)

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

Please always offer basic info of your iRedMail server:

ired_mania wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

ired_mania wrote:

42873 ssl medium strength cipher suites supportd(sweet32)

Which ssl service are we talking about? https? ssl over pop3/imap or smtp?
You may want to use stronger ciphers.

3 Reply by ired_mania

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

ZhangHuangbin wrote:

Please always offer basic info of your iRedMail server:

ired_mania wrote:

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer?
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL):
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro?
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====

ired_mania wrote:

42873 ssl medium strength cipher suites supportd(sweet32)

Which ssl service are we talking about? https? ssl over pop3/imap or smtp?
You may want to use stronger ciphers.

I have iredmail 0.9.9 installed on Centos 7.6.1810.
Truly speaking , I dont have port number in in vulnerability report , would you please help me to solve this problem in all of ports? I specially have difficulty to address this issue on nginx .

4 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

I don't understand what issue we're trying to solve.

5 Reply by ired_mania (edited by ired_mania 2021-12-05 17:05:43)

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

how to mitigate vulnerability in https? I can not do ssl setting in nginx configuration

ZhangHuangbin wrote:

I don't understand what issue we're trying to solve.

6 Reply by Cthulhu (edited by Cthulhu 2021-12-05 22:52:31)

  • Cthulhu
  • Member
  • Online
  • Registered: 2019-06-04
  • Posts: 816

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

why can't you do ssl settings?

best way to mitigate is useing the latest build and shift to tsl 1.3 with modern ciphers by default, and completly scrap tls 1.1

aswell, you use centOS 7, which has no support anymore, iredmail aswell dropped support for centOS 8, so for future support you need to upgrade to centos stream, which will kinda of automatically fix ur problems

7 Reply by ired_mania

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

Cthulhu wrote:

why can't you do ssl settings?

best way to mitigate is useing the latest build and shift to tsl 1.3 with modern ciphers by default, and completly scrap tls 1.1

aswell, you use centOS 7, which has no support anymore, iredmail aswell dropped support for centOS 8, so for future support you need to upgrade to centos stream, which will kinda of automatically fix ur problems

Hi, first of all , thanks for ur reply .second  EOL of centoS 7 is  June 30, 2024 and EOL of CentOS8 is December 31st, 2021 that is reason of dropping support of cent8 by iredmail.

8 Reply by ired_mania

  • ired_mania
  • Member
  • Offline
  • Registered: 2019-06-20
  • Posts: 173

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

ZhangHuangbin wrote:

I don't understand what issue we're trying to solve.

I can not find below conf in  /etcnginx/ngin.con and /etc/nginx/sites-enabed/00-default-ssl.conf . I should add it manually ? in which file it should be added? what are medium strength cipher?

ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3
ssl_ciphers   ???

9 Reply by ZhangHuangbin

  • ZhangHuangbin
  • ZhangHuangbin
  • iRedMail Developers
  • Offline
  • Registered: 2009-05-06
  • Posts: 30,770

Re: 42873 ssl medium strength cipher suites supportd(sweet32)

In /etc/nginx/templates/ssl.tmpl.