[SOLVED] Fix Zimbra SSL weak cipher
Our security scanner reported Zimbra severs support weak SSL cipher. I was trying to fix it by
adding additional cipher suites to zimbraSSLExcludeCipherSuites attribute.
It looks like this:
zmprov mcf zimbraSSLExcludeCipherSuites "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA S
SL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WI
TH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA DES-CBC3-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-MD5 EXP-ADH-
DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP
-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5"
(all in one line).
I also tried use "SSLv2 LOW EXP" cipher names, but none of these seem taken effect, except the default ones that come with the Zimbra global configuration. I indeed flushed cache, and even restarted server.
What exactly the format I should use for the cipher names?
Same problem but with v6.0.6
I am having the same problem with a security scanner reporting that our Zimbra server supports a weak SSL cipher.
The "fix" for shan's problem does not seem to apply to v6.0.6.
I find the line:
zimbraSSLExcludeCipherSuites=SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
in the file jetty.properties.in not in jetty.xml.in.
Is the fix the same but only in a different file?