Page 1 of 1

8.7.3 and weak DH security

Posted: Fri Feb 24, 2017 2:45 pm
by Martinwiertz

Last few weeks I'm trying to improve the security of my Zimbra Collab server. I use open source edition. Release 8.7.2.GA.1736.UBUNTU14.64 UBUNTU14_64 FOSS edition but this is with the 8.7.3 release.

If I test with: -- result is an F -- result is an B

How do I get better security?

Weak DH encryption
Forward secrecy - WEAK
Uses common DH primes - I created new ones 3072
The server's Diffie-Hellman parameter is too small. (Non-compliant with NIST, HIPAA and PCI DSS)
The server supports elliptic curves that are considered weak. (Non-compliant with NIST, HIPAA and PCI DSS)

Also this article doesn't get me more secure. ... urity_Test

Disabling the weak ciphers can create problem with some applications I found on google. I didn't disable:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK

Enable Strict Transport Security (HSTS) & Session resumption (caching)
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmcontrol restart
Result of test website is HSTS is not active....?

Also a set of guidelines:

Also I tried to improve the NGINX config files as indicated on several sites, incl Zimbra.

Please help and advice!