Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Control » How to disable the RC4 cipher?
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
There is a way to disable the RC4 cipher on Kerio Control, we use it as reverse proxy...
  •  
PPG

Messages: 68
Karma: 3
Send a private message to this user
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
PPG wrote on Sun, 22 February 2015 08:28
Could this be the solution you're searching for: http://forums.kerio.com/mv/msg/17525/70795/#msg_70795 ?


That post has nothing to do with my question.
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
AFAIK RC4 was disabled a while ago:

./fa/3759/0/

http://www.kerio.com/kerio-control-release-history-older-rel eases

  • Attachment: rc4.png
    (Size: 22.29KB, Downloaded 483 times)

PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
In ssllabs.com test I'm receiving grade B, and them justify with these two lines:

This server accepts the RC4 cipher, which is weak. Grade capped to B. MORE INFO »
The server does not support Forward Secrecy with the reference browsers. MORE INFO »
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
Any explanation about that??

[Updated on: Thu, 26 February 2015 17:09]

  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Don't have an answer, let me find out and get back to you.

M. 20122

[Updated on: Tue, 10 March 2015 01:07]


PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
mlee (Kerio)

Messages: 246
Karma: 16
Send a private message to this user
Once again, with some great help and here's an update for you:

RC4-SHA was re-added to Kerio Control as a fallback cipher suite for software which doesn't support Diffie Hellman key exchange (Kx=DH). Now we do understand that there are vulnurabilities with RC4, we also need to consider that there are users with older software that requires the use of Kx=RSA.

The only safe choice these days are cipher suites which provide Perfect Forward Secrecy.

While there are plans to further improve the security on Kerio Control, at this stage you can disable RC4 by setting EnableKxRSA=0 in winroute.cfg, but be warned that lot of (mostly old) clients stop working, because they have no cipher suites capable of Kx=DH.

M.

[Updated on: Wed, 11 March 2015 23:19]


PTSD. BP. OCD. ASPD. BPD. Certified.
  •  
Brian Carmichael (Kerio)

Messages: 617
Karma: 61
Send a private message to this user
For modifying the Kerio Control configuration you can use SSH. To enable SSH access, go to Status and while holding the shift key, select the System Health. You should see a button to enable SSH. Your login is root, and the password is your web administration password. Once connected via SSH, you can issue the following commands.
~ # /opt/kerio/winroute/tinydbclient "update ssl set EnableKxRSA=0"
~ # /etc/boxinit.d/60winroute restart

Brian Carmichael
Senior Technical Marketing Engineer | Kerio
Stay Connected Anytime, Anywhere. Discover Kerio Cloud!
  •  
gabrielbraga

Messages: 16
Karma: 3
Send a private message to this user
Thank you both!!!
Previous Topic: Login redirection for non-standard port
Next Topic: webpage not open
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Fri Mar 24 05:12:12 CET 2017

Total time taken to generate the page: 0.01167 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.