Recent vulnerability scan has identified SSL Server Allows Anonymous Authentication Vulnerability on port 993. I use SSL for IMAP.
I believe that i need to change the encryption ciphers in /opt/zimbra/conf/nginx/includes/nginx.conf.mail. I changed the below parameter
# Ciphers configuration
# Permitted ciphers. Ciphers are assigned in the formats supported by OpenSSL
changed the last line to below line
ssl_ciphers !aNULL:!ADH:!eNULL:!LOW:!EXP:!SSLv2:!MD5:RC4+RSA:+ HIGH:+MEDIUM;
The ssl_ciphers parameter changes back to the default once zimbra service is restarted.
I also tried to change the encryption ciphers in file /opt/zimbra/conf/attrs/zimbra-attrs.xml, but not sure if that will solve the issue.
Can someone suggest. Please let me know if more details are required.
Note: similar vulnerability on port 25 and 465 was fixed by exempting the weak encryption ciphers in the main.conf postfix file.
thank you, Prem