We have recently been undergoing a pen-test due to one of the customers that we are trying to attract having unique secuirty requirements. One issue that has been highlighted is that our zimbra server support some weak cipher suites. What confuses the hell out of me is the suites that the network penetration tools detect should be excluded in the zimbra configuration.

For example :

zimbra@webmail:~$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA

Unfortunately even when we test the site using third party tools, openssl etc we also can see that crypto suite is still in use despite the fact that it is disabled in the configuration. We have rebooted and restarted the services with no difference in the outcome.

Has anyone else had a similar issue, is there something I am missing in regards to SSL Cipher suites? It's had me stumped for a few days now with no success..

The second issue is that we are reported to be vulnerable to BEAST Attacks.. Which I believe is related to the crypto ciphers we use.. I suspect these maybe related.. can someone shed any additional light on this?


Jimmy Stewpot.