Our features site is undergoing a refresh! Be sure to explore the revamped site and discover our latest product roadmap launching here on Monday, March 18th.
New Topic
cPanel & WHM Feature RequestsTopicSecurity
Properties
Category Security
Tags Diffie-Hellman, Security, pci-compliance, PCI-DSS, pci compliance, cb

Change Dovecot to use 2048, or higher, dhparam

Denver Prophit Jr. shared this idea 9 years ago
Open Discussion

See recommendations at https://weakdh.org/sysadmin.html Get all RPM config files to implement Diffie-Hellman 2048

11 I like this idea 0  

Replies (5)

photo
1
acenetgeorge 9 years ago

Open a ticket with cPanel Support. You can replace the cipher keys manually for the moment to resolve this.

Reply
photo
1
Aila 9 years ago

Please provide more specifics. To my knowledge we don't provide any RPMs that would need such a change. We provide configuration interfaces for a variety of services (e.g. Apache, FTP) that allow setting stricter SSL Cipher suites, and disabling older protocols. Without telling us specifically what you want we are unable to do anything with this request (other than close it).

Reply
photo
2
Floki 9 years ago

It is not about the cipher you can set, it is about the DH group key

size. Having strong cipher is one part, the scond is having strong keys

which need a strong DH key size.

The standard group key size (also with Cpanel) is 1024 which is not secure.


You can generate a new group key size with

openssl dhparam -out dhparams.pem 2048


and then generate all SSL keys new but it would be of course much better if Cpanel already just switch the size to 2048 from the start on.

Reply
photo
2
Aila 9 years ago

It appears Dovecot is what needs updated.

Reply
photo
1
Denver Prophit Jr. 9 years ago

So the changelog of Dovecot has already done that or in their roadmap?

photo
1
Denver Prophit Jr. 8 years ago

I think this could be resolved now.

photo
1
Denver Prophit Jr. 8 years ago

Hey Ken. DES/3DES ciphers are now NVD Level 4. Have to remove that whole cipher suite. The reason these scan vunerability is per the National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183) Trustwave as an ASV is required to fail external scans when DES/3DES ciphers are detected, as the CVSS score is above a 4.0. The ASV program guide (https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf), compiled by the PCI SSC, clearly states that any vulnerability listed on the NVD with a CVSS ranking of 4.0 or greater MUST be failed on.


Currently, there are no standard mitigations which can allow these ciphers to exist in PCI DSS-approved environments unless a QSA (Qualified Security Assessor) manually validates that the threat from the vulnerability cannot be exploited by use of a Compensating Control Worksheet (CCW). PCI acknowledges that removing these ciphers can break connectivity with legacy Windows XP machines but unfortunately Windows XP has been end of life since 2014 and has known weaknesses which are unaddressed that attackers can use to exploit.


Ultimately, it would be the role of your web host to remove these ciphers from the payment environment as the weaknesses of the credit card environment can lead to access to credit card information.

photo
photo
1
Tim Schoondergang 7 years ago

Is a new option not enough:

ssl_dh_parameters_length = 2048

for dovecot 2.2.x


(and in the future:)

for 2.3.x and up

ssl_dh=</path/to/dh.pem with a correct dh.pem file.


see:

https://wiki.dovecot.org/SSL/DovecotConfiguration#line-112

Reply
Leave a Comment
 
Attach a file

cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer software that facilitates the management and configuration of Internet web servers.