cPanel & WHM Version 94 has been released, and brings a slew of great updates. Take a look at what is included, and then upgrade today!

Change Dovecot to use 2048, or higher, dhparam

Denver Prophit Jr. shared this idea 5 years ago
Open Discussion

See recommendations at https://weakdh.org/sysadmin.html Get all RPM config files to implement Diffie-Hellman 2048

Comments (5)

photo
1

Open a ticket with cPanel Support. You can replace the cipher keys manually for the moment to resolve this.

photo
1

Please provide more specifics. To my knowledge we don't provide any RPMs that would need such a change. We provide configuration interfaces for a variety of services (e.g. Apache, FTP) that allow setting stricter SSL Cipher suites, and disabling older protocols. Without telling us specifically what you want we are unable to do anything with this request (other than close it).

photo
2

It is not about the cipher you can set, it is about the DH group key

size. Having strong cipher is one part, the scond is having strong keys

which need a strong DH key size.

The standard group key size (also with Cpanel) is 1024 which is not secure.


You can generate a new group key size with

openssl dhparam -out dhparams.pem 2048


and then generate all SSL keys new but it would be of course much better if Cpanel already just switch the size to 2048 from the start on.

photo
2

It appears Dovecot is what needs updated.

photo
1

So the changelog of Dovecot has already done that or in their roadmap?

photo
1

I think this could be resolved now.

photo
1

Hey Ken. DES/3DES ciphers are now NVD Level 4. Have to remove that whole cipher suite. The reason these scan vunerability is per the National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183) Trustwave as an ASV is required to fail external scans when DES/3DES ciphers are detected, as the CVSS score is above a 4.0. The ASV program guide (https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf), compiled by the PCI SSC, clearly states that any vulnerability listed on the NVD with a CVSS ranking of 4.0 or greater MUST be failed on.


Currently, there are no standard mitigations which can allow these ciphers to exist in PCI DSS-approved environments unless a QSA (Qualified Security Assessor) manually validates that the threat from the vulnerability cannot be exploited by use of a Compensating Control Worksheet (CCW). PCI acknowledges that removing these ciphers can break connectivity with legacy Windows XP machines but unfortunately Windows XP has been end of life since 2014 and has known weaknesses which are unaddressed that attackers can use to exploit.


Ultimately, it would be the role of your web host to remove these ciphers from the payment environment as the weaknesses of the credit card environment can lead to access to credit card information.

photo
photo
1

Is a new option not enough:

ssl_dh_parameters_length = 2048

for dovecot 2.2.x


(and in the future:)

for 2.3.x and up

ssl_dh=</path/to/dh.pem with a correct dh.pem file.


see:

https://wiki.dovecot.org/SSL/DovecotConfiguration#line-112

Leave a Comment
 
Attach a file