V 9.706-9: The return of weak ciphers?

Question

Today I've received the result of a PCI scan: Failed.

"38142 - SSL Server Allows AnonymousAuthentication Vulnerability" on port 25 is the reason. 38142 means that ADH or similar weak ciphers are allowed.

As far as I remember with the setting "TLS1.2 only" all weak ciphers are removed.

What can I do?

This thread was automatically locked due to age.

RichBaldry · Accepted Answer

As a temporary workaround, while this is being investigated, if you can SSH to your UTM and get root access, you can edit /var/storage/chroot-smtp/etc/exim.conf. 
 Look for the line that reads: 
 tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2 
 and update it to 
 tls_require_ciphers = HIGH:!RC4:!MD5:!ADH:!SSLv2:!aNULL 
 This issue is not really to do with weak ciphers. Anonymous authentication in this context would allow a remote server, if it wanted to , to connect to your UTM without your UTM having to provide a certificate to prove its own identity. It really affects the remote server more than it does your UTM.

gsxfan · Answer

Thanks Rich, that hit the nail. The scan passed today, right before my vacation starts. 
 But like every change of config files at file level this would probably be changed by the next update (Or restart...). What I'm wondering about is that this error occurred for the very first time after more than 15 years of PCI scans against Astaro/Sophos UTM. 
 I hope that this config change will find its way to the system by the next update. It should be standard and mandatory. Otherwise I (And probably others) will run into this trap again.

V 9.706-9: The return of weak ciphers?

Top Replies