I ran a vulnerability scan and I got these results for ports 993, 995, and 5432. I am running Dovecot for POP3S and IMAPS and Postgres for port 5432. I got these results from the vulnerability scan:
Summary: This routine reports all Weak SSL/TLS cipher suites accepted by a service. NOTE: No severity for SMTP services with ‘Opportunistic TLS’ and weak cipher suites on port 25/tcp is reported. If too strong cipher suites are con gured for this service the alternative would be to fall back to an even more insecure cleartext communication.
Vulnerability Detection Result:
‘Weak’ cipher suites accepted by this service via the TLSv1.0 protocol: TLS_RSA_WITH_SEED_CBC_SHA
‘Weak’ cipher suites accepted by this service via the TLSv1.1 protocol: TLS_RSA_WITH_SEED_CBC_SHA
‘Weak’ cipher suites accepted by this service via the TLSv1.2 protocol: TLS_RSA_WITH_SEED_CBC_SHA
Solution – Solution type: Mitigation The configuration of this services should be changed so that it does not accept the listed weak cipher suites anymore. Please see the references for more resources supporting you with this task.
Vulnerability Insight These rules are applied for the evaluation of the cryptographic strength:
- RC4 is considered to be weak (CVE-2013-2566, CVE-2015-2808).
- Ciphers using 64 bit or less are considered to be vulnerable to brute force methods and therefore considered as weak (CVE-2015-4000).
- 1024 bit RSA authentication is considered to be insecure and therefore as weak.
- Any cipher considered to be secure for only the next 10 years is considered as medium
- Any other cipher is considered as strong
I am new to this kind of thing and I tried looking for a way to fix this vulnerability. I am sure that there is a configuration file I am supposed to change, but I don’t know what to do. I want to figure out how to disable the weak cipher suites for each of these ports. Could someone please help me out?