8.7.3 and weak DH security

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Posts: 49
Joined: Sat Sep 13, 2014 3:55 am

8.7.3 and weak DH security

Postby Martinwiertz » Fri Feb 24, 2017 2:45 pm


Last few weeks I'm trying to improve the security of my Zimbra Collab server. I use open source edition. Release 8.7.2.GA.1736.UBUNTU14.64 UBUNTU14_64 FOSS edition but this is with the 8.7.3 release.

If I test with:
https://www.htbridge.com/ssl -- result is an F
https://www.ssllabs.com/ssltest -- result is an B

How do I get better security?

Weak DH encryption
Forward secrecy - WEAK
Uses common DH primes - I created new ones 3072
The server's Diffie-Hellman parameter is too small. (Non-compliant with NIST, HIPAA and PCI DSS)
The server supports elliptic curves that are considered weak. (Non-compliant with NIST, HIPAA and PCI DSS)

Also this article doesn't get me more secure.
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

Disabling the weak ciphers can create problem with some applications I found on google. I didn't disable:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK

Enable Strict Transport Security (HSTS) & Session resumption (caching)
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmcontrol restart
Result of test website is HSTS is not active....?

Also a set of guidelines:

Also I tried to improve the NGINX config files as indicated on several sites, incl Zimbra.

Please help and advice!

Return to “Administrators”

Who is online

Users browsing this forum: Majestic-12 [Bot] and 12 guests