Insecure RC4 Cipher Suites and 56-bit encryption Enabled in 3CX V14 SP3

RC4 cipher suite is still enabled in Abyss Web Server X2 (Version 2.9.3.6) that is supplied with 3CX Version 14 Service Pack 3.

Version 2.11 of Abyss Web server X2 that was released on 5th April 2016 disabled the obsolete RC4 cipher suite as per RFC7465.
 
Abyss Web Server X2 in 3CX Version 14 Service Pack 3 also negotiates TLS_RSA_WITH_DES_CBC_SHA which is only a 56-bit key and is considered insecure.
3CX support have provided a workaround for this
You may edit the ciphers configured in Abyss by doing the following:
– on 3CX server, open a browser and go to http://127.0.0.1:9999, login with admin/admin
– change Ciphers dropdown to “Custom Ciphers Specification”
– replace RC4-SHA:HIGH:MEDIUM:LOW:DEFAULT:-EXP:!SSLv2:!ADH:!aNULL:!eNULL:!NULL
with HIGH:MEDIUM:LOW:DEFAULT:-EXP:!SSLv2:!ADH:!aNULL:!eNULL:!NULL:!TLS_RSA_WITH_DES_CBC_SHA:!RC4:!DES-CBC-SHA
– validate, clicking OK on each screen until you are back to the webserver homepage then click Restart button.

Leave a Reply

Your email address will not be published.