Results 1 to 8 of 8

Thread: Zimbra & SSL ciphers hardening

  1. #1
    Join Date
    Jul 2008
    Posts
    24
    Rep Power
    7

    Question Zimbra & SSL ciphers hardening

    When the SSL Server Test from https://www.ssllabs.com/ssltest/ is started on our 8.0.5 zimbra installation, the Overall Rating returned is only a "C" :

    Certificate 100%
    Protocol Suppor t90%
    Key Exchange 40%
    Cipher Strength 60%

    With as potential issues: DoS Danger because Secure Client-Initiated Renegotiation is allowed, BEAST attack, forward secrecy, etc. and some ciphers considered as wear are also allowed.


    I just tried to improve this situation by following the instructions of Setting up Zimbra for strong ciphers only | Liberty Systems & Software :

    before: zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
    after: zimbraReverseProxySSLCiphers: ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:RC4:HIGH

    but it changed nothing (after a complete restart). What else would you suggest to do ?

    Thanks & regards !

  2. #2
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    What quality strength cert did you buy? You can specify a high quality key strength and various strengths with zmcertmgr in ZCS8.0.5.

    I would note that mail.zimbra.com returns with an "A" rating.
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  3. #3
    Join Date
    Jul 2008
    Posts
    24
    Rep Power
    7

    Default

    Hi Quanah & thanks for your answer :-)

    As far as I can tell, my certificate has the same "quality" as the one from mail.zimbra.com : Key: RSA 4096 bits and Signature algorithm : SHA1withRSA, so I presume the score has really something to do with the setup. I wonder what would "zmprov gacf | grep -i ssl" look on mail.zimbra.com... Do you know if there is any way to get that information ?

    Here it looks like this (these should normally be the default value of a 8.0.5 system, but maybe the fact that it was first a 5.0, then 6.0 and 7.0 version has an influence...):

    zimbraHttpSSLNumThreads: 50
    zimbraImapSSLBindOnStartup: TRUE
    zimbraImapSSLBindPort: 7993
    zimbraImapSSLProxyBindPort: 993
    zimbraImapSSLServerEnabled: TRUE
    zimbraMailSSLClientCertMode: Disabled
    zimbraMailSSLClientCertPort: 9443
    zimbraMailSSLClientCertPrincipalMap: SUBJECT_EMAILADDRESS=name
    zimbraMailSSLClientCertPrincipalMapLdapFilterEnabl ed: FALSE
    zimbraMailSSLPort: 0
    zimbraMailSSLProxyClientCertPort: 3443
    zimbraMailSSLProxyPort: 0
    zimbraNotifySSLBindPort: 7036
    zimbraNotifySSLServerEnabled: TRUE
    zimbraPop3SSLBindOnStartup: TRUE
    zimbraPop3SSLBindPort: 7995
    zimbraPop3SSLProxyBindPort: 995
    zimbraPop3SSLServerEnabled: TRUE
    zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
    zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
    zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
    zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
    zimbraReverseProxySSLToUpstreamEnabled: FALSE
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraStatThreadNamePrefix: ImapSSLServer
    zimbraStatThreadNamePrefix: Pop3SSLServer

  4. #4
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Here is our cipher suite settings

    Code:
    [zimbra@edge01-zcs ~]$ zmprov gacf | grep Cipher
    zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    Join Date
    Dec 2010
    Location
    UK
    Posts
    233
    Rep Power
    5

    Default

    This gives me an A rating on that site you linked to :

    ShanxT-Removing-Insecure-SSL-Ciphers - Zimbra :: Wiki

    Although quite why this isn't standard I'm not sure. Shouldn't Zimbra updates include this as things move on ?

  6. #6
    Join Date
    Jul 2008
    Posts
    24
    Rep Power
    7

    Default

    Thanks for your update, I'll try the "zimbraReverseProxySSLCiphers" you mentioned here later this weekend on our servers and get back to you !

  7. #7
    Join Date
    Jul 2008
    Posts
    24
    Rep Power
    7

    Default

    Done and unfortunately : no a single change, as if updating "zimbraReverseProxySSLCiphers" would not have any influence on the results. Same for any setting of "zimbraReverseProxySSLToUpstreamEnabled" (FALSE by default).

  8. #8
    Join Date
    Apr 2008
    Location
    New Paltz, NY
    Posts
    336
    Rep Power
    7

    Default

    I have the following Cipher sets excluded and it gets an A in the Qualys SSL labs checks, as well as no problems with our internal tool (Tenable Nessus):

    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256

    Not sure if it matters but we're on 7.2.x still, not 8.x.
    ---
    Paul Chauvet
    State University of New York at New Paltz

Similar Threads

  1. Weak SSL Ciphers in 5.0.9 NE per Nessus
    By jgmora in forum Administrators
    Replies: 0
    Last Post: 09-03-2008, 03:31 PM
  2. Need to Disable Export Level Ciphers
    By jcox in forum Administrators
    Replies: 0
    Last Post: 02-08-2008, 08:18 AM

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •