Server Security

Weak Ciphers, PSI Compliance

To comply with the PCI standard, IceWarp Server V 12 by default disables weak ciphers and addresses the BEAST attack by prioritization of RC4 ciphers. A new installation of the server will now pass the Qualys SSL Labs test with honors (A ranking). In existing installations, in order to achieve Forward secrecy, but still not vulnerability against BEAST attack, setting the API sslcipherlist value to HIGH is not enough as we need to allow GCM and ECDHE (elliptic) cipher suites explicitly. On installations which were previously set to HIGH, issue the following command and then verify on www.ssllabs.com/ssltest/.

tool set system c_system_adv_ext_sslcipherlist ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:RSA+AESGCM:RSA+AES:!aNULL:!MD5:!DSS