Help after scanning with Nessus

Use this forum if you have installed hMailServer and want to ask a question related to a production release of hMailServer. Before posting, please read the troubleshooting guide. A large part of all reported issues are already described in detail here.
Post Reply
bol86
New user
New user
Posts: 1
Joined: 2019-09-09 17:21

Help after scanning with Nessus

Post by bol86 » 2019-09-11 17:05

Hello,

I have installed hmail in version 5.6.7 and it works perfectly.
When I perform a scan with the Nessus tool, the following warning appears:

The remote service supports the use of medium strength SSL ciphers.
The remote host supports the use of SSL ciphers that offer medium strength encryption.
Scanner regards medium strength as any encryption that uses key lengths at least 64 bits and less tha 112 bits, or else that uses the 3DES encryption suite.
Note that it is considerably easier to circumvent medium strength encryption if the attacker is on the same physical network.
RESULT:
Medium Strength Ciphers (> 64-bit and < 112-bit key, or 3DES)
DES-CBC3-SHA Kx=RSA Au=RSA Enc=3DES-CBC(168) Mac=SHA1
The fields above are:
{OpenSSL ciphername}
Kx={key exchange}
Au={authentication}
Enc={symmetric encryption method}
Mac={message authentication code}
{export flag}
Recomendations: Reconfigure the affected application if possible to avoid use of medium strength ciphers.


Can someone tell me how to solve the problem?

Thank you very much and greetings to the whole forum! :roll:

User avatar
jim.bus
Senior user
Senior user
Posts: 255
Joined: 2011-05-28 11:49
Location: US

Re: Help after scanning with Nessus

Post by jim.bus » 2019-09-11 22:06

See hMailAdmin >Settings>Advanced>SSL/TLS then Select Help which will tell you where you can override the Default Ciphers List on this setting. This is all I know on how to set different ciphers. There are others on the Forum who are more advanced than myself.

User avatar
mattg
Moderator
Moderator
Posts: 20026
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: Help after scanning with Nessus

Post by mattg » 2019-09-12 00:03

On 5.6.7 you can uncheck all but TLSv1.2 (where jim.bus says)
and try the cipher suite being simply

HIGH:!TLSv1:!SSLv3;

See how your scan goes then
(I'm using an ALPHA version with TLSv1.3 - I'd love a report on my server. I test with as many tools as I can find for free)
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

Post Reply