1

Topic: ERR_SSL_OBSOLETE_CIPHER in Chrome after upgrading to latest release

==== Required information ====
- iRedMail version (check /etc/iredmail-release):      v0.9.5-1 / v2.4.1 (MySQL)
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): MySQL
- Web server (Apache or Nginx): Apache
- Manage mail accounts with iRedAdmin-Pro? Yes
- Related log if you're reporting an issue:
====

After upgrading to the latest release users with Chorme get an error message when trying to use webmail: ERR_SSL_OBSOLETE_CIPHER

Has anyone seen this issue?

My /etc/aapache2/sites-available/default-ssl states this regarding chiphers:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: ERR_SSL_OBSOLETE_CIPHER in Chrome after upgrading to latest release

Energia wrote:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

These ciphers should be considered as strong. You can test it with: https://www.ssllabs.com/ssltest/
Or, test on your server with 'nmap' command like this:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 localhost

3

Re: ERR_SSL_OBSOLETE_CIPHER in Chrome after upgrading to latest release

Energia wrote:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

These ciphers should be considered as strong. You can test it with https://www.ssllabs.com/ssltest/
Or, test it on your server with 'nmap' command:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 localhost

4

Re: ERR_SSL_OBSOLETE_CIPHER in Chrome after upgrading to latest release

ZhangHuangbin wrote:
Energia wrote:

SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH

These ciphers should be considered as strong. You can test it with https://www.ssllabs.com/ssltest/
Or, test it on your server with 'nmap' command:

nmap --script ssl-cert,ssl-enum-ciphers -p 443 localhost

I have tested the server by using SSL Labs, the protocol result is not ok, but that is mainly related to OpenSSL CCS.

In the Cipher Suites section I do get this result:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)   DH 1024 bits   FS   WEAK     128
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)         DH 1024 bits   FS   WEAK     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK     256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK     256

5

Re: ERR_SSL_OBSOLETE_CIPHER in Chrome after upgrading to latest release

I've the same issue on ssllabs.com and it gave me B rating :

# TLS 1.2 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS     256
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b)   DH 1024 bits   FS   WEAK     256
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)   DH 1024 bits   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 (0xc028)   ECDH secp256r1 (eq. 3072 bits RSA)   FS     256
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)   ECDH secp256r1 (eq. 3072 bits RSA)   FS     256
# TLS 1.1 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS     256
# TLS 1.0 (suites in server-preferred order)
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39)   DH 1024 bits   FS   WEAK     256
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xc014)   ECDH secp256r1 (eq. 3072 bits RSA)   FS     256

There is a way to change it with 2048 or better 4096 DH ?