SSL Check reveals 'BEAST' vulnerability via self-signed root?

First, Josh , thank you! I have an A+ ssl with SSLLabs. Loving my Mail-in-a-box!

All shows green and OK on my “System Status Checks” page and every SSL check shows good things. I never used a password with my DigitalOcean droplet from the beginging and don’t know what self-signed one it’s talking about. I have a comodo wildcard SSL certificate installed. I have root disabled and an account running sudo separately. Thoughts on what self-signed root cert it’s talking about? tx!

I went to run Symantec’s SSL checker and Symantec says this:

The BEAST attack is not mitigated on this server.
Root installed on the server.
For best practices, remove the self-signed root from the server.

I’ve checked my ssl against these sites if it helps others out:

Hi & thanks.

The BEAST vulnerability is… complicated. I don’t understand it entirely. Any modern client should be fine because it’s only a problem with clients that only support up to TLSv1 (or SSLv3, but that’s already disabled), and TLSv1 is probably going to be deprecated soon anyway (at which point we’ll probably drop support in Mail-in-a-Box).

The problem with disabling aspects of TLS to prevent vulnerabilities is you also might end up blocking access by old clients that relied on that aspect. So there’s a trade-off between access at all and the risk of an attack. I’m not 100% sure Mail-in-a-Box has the perfect setup w.r.t. this issue, and am totally open to improvements, but the risk is low (since you’re probably using a modern client and you are probably not the target of an active attack).

If anyone with expertise wants to dive in further, please see and Note that the TLSv1 CBC-based ciphers, which are the source of the vulnerability, are only offered over HTTPS but not SMTP Submission or IMAPS. So only e.g. webmail and Exchange/ActiveSync would be an attack vector.

Your other question was about a self-signed certificate. If everything else is showing OKs, then this is likely because you added your CA’s root certificate into your intermediate chain. CA certs are (typically) self-signed and do not need to be included in the chain because they’re already present in the browser (which is how the browser knows it’s a real CA). SSLLabs should also warn you about this (although possibly with a different but equally unintelligible message).

Reading this article would bring some light about BEAST attack, too Is BEAST Still a Threat?

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.