No results found. You can ask us instead.
No results found. You can ask us instead.
Phone Lines icon GFI Support Home Start a conversation Sign in
No results found. You can ask us instead.
Start a conversation
  1. KerioControl
  2. KerioControl - Security
  3. Articles

TLS Server Vulnerability SWEET32 (CVE 2016-2183)

Overview


When performing a PCI scan, the test may be failing due to SWEET32 vulnerability with the following message:

Path: /TLS server supports short block sizes SWEET32 attack

Information From Target:
Service: 4090:TCP
Server accepted TLS 1.1 64-bit block size cipher: TLS_RSA_WITH_3DES_EDE_CBC_SHA

 

Prerequisites


Access to:

  • Kerio Control Webadmin
  • Kerio Control via SSH

 

Process

  1. Log in to Kerio Control console via SSH.

  2. Make the system read/writeable by running the following command:

    $ mount -o rw,remount /

  3. Open the following file:

    /var/winroute/winroute.cfg

  4. Find the table <table name="SSL"> and replace the CipherList variable with the following line:

    <variable name="CipherList">!kSRP:!PSK:!kFZA:!SSLv2:!EXPORT:!ADH:!MD5:!aNULL:HIGH:-kRSA:AES256-SHA:-DES-CBC3-SHA</variable>
     
    As you can see, -DES-CBC3-SHA was added at the end.

    image-1


  5. Save changes made to the file.

  6. Reboot Kerio Control using the command below:

    $ reboot

Note: For better security, you can disable TLS v1.0 protocol.

 

Confirmation


PCI scan or SSL test is completed successfully.

 

Back to top

 

Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted 21 days ago
  3. Updated 21 days ago

Comments