In this variable, you can change the SSL/TLS protocols used when Kerio Connect acts as a client, for example, when sending messages via the SMTP protocol. To use a custom cipher list, type the cipher list in the variable.įor the full syntax of cipher lists, see the OpenSSL website. Leave the variable empty to use a default cipher list: AESGCM:HIGH:+EDH-RSA-DES-CBC3-SHA:+EDH-DSS-DES-CBC3-SHA:+DES-CBC3-SHA In this variable, you can change the cipher list used by Kerio Connect. To use a custom set of protocols, list the protocol names, separated by commas, in the variable.įor example: SSLv3,TLSv1,TLSv1.1,TLSv1.2 ServerTlsCiphers Leave the variable empty to use a default set of SSL/TLS protocols: TLSv1,TLSv1.1,TLSv1.2 In this variable, you can change the SSL/TLS protocols used by Kerio Connect. If you set the variable to 0, some older implementations of SSL may not connect to Kerio Connect servers. The default value, 1, disables the OpenSSL workaround for the CVE-2011-3389 vulnerability. ECDHE is more efficient than DHE and uses shorter keys. The server generates a random ephemeral public key for each session so that attackers cannot decipher past sessions. The default value, 1, enables ECDHE for key exchange. You can change the default value to 1024, 2048, or 4096 AllowEphemeralECDH Make sure the DisableEphemeralDH is enabled. The default value, 0, sets the size of DHE to 2048 (1024 for SMTP services). These ciphers are not recommended for compliance: Weak Ciphers Here is a list of strong ciphers available: Strong ciphers (Recommended) It is recommended to use only strong ciphers suites to ensure compliance with various compliance standards. Kerio Connect sets the default values of all the SSL/TLS variables. Delete any variable in the Security or SmtpSecurity sections.To reset the SSL/TLS configuration in the configuration file: Change the settings in the Security or SmtpSecurity sections.For more information refer to Configuration files. Open the configuration file mailserver.cfg for editing.Kerio Connect uses different variables for the SSL Secure Sockets Layer - A protocol that ensures integral and secure communication between networks./ TLS Transport Layer Security - A follower of the SSL protocol and ensures secure communication between networks. (You can test your server, for example, at Qualys SSLlabs test site). You might need to adjust the security settings when a flaw in a security protocol is found or to get a good security rating for your server. services separately (for SMTP on port 25 and SMTPS on port 465) SMTP Simple Mail Transport Protocol - An internet standard used for email transmission across IP networks.Once all the changes have been completed and saved, restart the Kerio Control box and reattempt the PCI compliance scan.Kerio Connect allows you to enable or disable specific security protocols and cipher sets manually for: Save the file and exit the vi/nano editor.Eg: To disable TLS version 1.0, add TLSv1 to this line to disable TLS version 1.1, add TLSv1_1 to this line: Add the TLS version that needs to be disabled in the DisabledProtocols line. Search for the variable table name="SSL":.Enter vi winroute.cfg or nano winroute.cfg to modify the winroute.cfg file.Enter cd /var/winroute to change the directory to /var/winroute/.Establish an SSH connection to the Kerio Control box.This article covers the steps to properly disable any TLS versions. The older versions of TLS could be affected by multiple cryptographic flaws. Administrators may fail PCI compliance scans because a deprecated TLS protocol is still enabled on the Kerio VPN port 4090.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |