See recommendations at https://weakdh.org/sysadmin.html Get all RPM config files to implement Diffie-Hellman 2048
Open a ticket with cPanel Support. You can replace the cipher keys manually for the moment to resolve this.
Please provide more specifics. To my knowledge we don't provide any RPMs that would need such a change. We provide configuration interfaces for a variety of services (e.g. Apache, FTP) that allow setting stricter SSL Cipher suites, and disabling older protocols. Without telling us specifically what you want we are unable to do anything with this request (other than close it).
It is not about the cipher you can set, it is about the DH group key
size. Having strong cipher is one part, the scond is having strong keys
which need a strong DH key size.
The standard group key size (also with Cpanel) is 1024 which is not secure.
You can generate a new group key size with
openssl dhparam -out dhparams.pem 2048
and then generate all SSL keys new but it would be of course much better if Cpanel already just switch the size to 2048 from the start on.
It appears Dovecot is what needs updated.
So the changelog of Dovecot has already done that or in their roadmap?
I think this could be resolved now.
Hey Ken. DES/3DES ciphers are now NVD Level 4. Have to remove that whole cipher suite. The reason these scan vunerability is per the National Vulnerability Database https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2183) Trustwave as an ASV is required to fail external scans when DES/3DES ciphers are detected, as the CVSS score is above a 4.0. The ASV program guide (https://www.pcisecuritystandards.org/documents/ASV_Program_Guide_v2.pdf), compiled by the PCI SSC, clearly states that any vulnerability listed on the NVD with a CVSS ranking of 4.0 or greater MUST be failed on.
Currently, there are no standard mitigations which can allow these ciphers to exist in PCI DSS-approved environments unless a QSA (Qualified Security Assessor) manually validates that the threat from the vulnerability cannot be exploited by use of a Compensating Control Worksheet (CCW). PCI acknowledges that removing these ciphers can break connectivity with legacy Windows XP machines but unfortunately Windows XP has been end of life since 2014 and has known weaknesses which are unaddressed that attackers can use to exploit.
Ultimately, it would be the role of your web host to remove these ciphers from the payment environment as the weaknesses of the credit card environment can lead to access to credit card information.
Is a new option not enough:
ssl_dh_parameters_length = 2048
for dovecot 2.2.x
(and in the future:)
for 2.3.x and up
ssl_dh=</path/to/dh.pem with a correct dh.pem file.
Replies have been locked on this page!
cPanel, WebHost Manager and WHM are registered trademarks of cPanel, L.L.C. for providing its computer
software that facilitates the management and configuration of Internet web servers.