Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » How to disable RC4 Cipher
  •  
vindiesel.dd

Messages: 6
Karma: 0
Send a private message to this user
Hi@all,

i did install the kerio virtual appliance 9.1.1 some days ago and would like to disable the RC4 cipher now, to get an A Rating on www.ssllabs.com.
I found following KB and disabled the RC4-Cipher Suite in the config file /opt/kerio/mailserver/mailserver.cfg in the Security section with these settings:
<variable name="ServerTlsCiphers">HIGH:MEDIUM:!aNULL:!eNULL:!RC4:!MD5 </variable>

kb.kerio.com/product/kerio-connect/server-configuration/secu rity/configuring-ssl-tls-in-kerio-connect-1753.html#sect-ssl variables

BUT, ssllabs still shows me RC4 as enabled.
I use the same setting with apache modssl on other servers, which disabled RC4.
Therefore i doubt, my cipher setting is wrong.

Does somebody has an idea?

Thanks
  •  
Lukas Petrlik (Kerio)

Messages: 108
Karma: 7
Send a private message to this user
Neither the default configuration nor your setting should include RC4.

What is the output if you login the the appliance and try the following?

# openssl s_client -connect 127.0.0.1:4040 -cipher RC4
  •  
vindiesel.dd

Messages: 6
Karma: 0
Send a private message to this user
Hi Lukas,

thank you for your quick response.
I found the failure and this was a bit tricky and my fault. Because we use other ports for Kerio on the firewall, the sslabs test checked another server and didn't show this as failure beacause we use for both a wildcard certificate. Therefore the domain-name matched with the certificate.


The output is following and i interpret this output, that no connection could be established with RC4:
CONNECTED(00000003)
139851058980520:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure:s23_clnt.c:749:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 7 bytes and written 178 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
  •  
Lukas Petrlik (Kerio)

Messages: 108
Karma: 7
Send a private message to this user
vindiesel.dd wrote on Mon, 29 August 2016 17:29
i interpret this output, that no connection could be established with RC4:
Correct.
Now when you have solved the problem, I would suggest you return back to the default configuration (i.e. empty ServerTlsCiphers). We have taken great care to ensure that the default is the best compromise between security and compatibility with supported clients and other servers at the time of the release.
Previous Topic: Clear chat history
Next Topic: Quota Usage not Consistent
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Dec 06 18:53:13 CET 2016

Total time taken to generate the page: 0.00941 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.