Need Help..How to disable Weak Cipher Suites and TLSv1.0

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
odiecoranes
Posts: 15
Joined: Wed Jun 29, 2016 9:00 am

Need Help..How to disable Weak Cipher Suites and TLSv1.0

Postby odiecoranes » Fri Mar 30, 2018 3:05 am

Hi Everyone!

need your help..
I recently upgraded to Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition.
server didn't passed on qualys scanning..



I already remove this weak cipher using this guide https://wiki.zimbra.com/wiki/Cipher_suites but still visible in ssllabs.com

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK

===============================================================================

I set this to high by running "zmprov mcf zimbraMtaSmtpTlsMandatoryCiphers high" then restart zimbra/ rebooted servers as well but it still appears as medium

zimbraMtaSmtpTlsMandatoryCiphers
Value for postconf smtp_tls_mandatory_ciphers

type : enum
value : export,low,medium,high,null
callback :
immutable : false
cardinality : single
requiredIn :
optionalIn : globalConfig,server
flags : serverInherited
defaults : medium
min :
max :
id : 1514
requiresRestart :
since : 8.5.0
deprecatedSince :



=========================================================================
For TLS
https://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS

SSL/TLS Server supports TLSv1.0 - port 25/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 465/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 587/tcp over SSL
Security Header Not Detected HTTP Security Header Not Detected port 443/tcp



Thnaks!


FredKarno
Posts: 32
Joined: Sat Oct 10, 2015 5:40 am

Re: Need Help..How to disable Weak Cipher Suites and TLSv1.0

Postby FredKarno » Thu Sep 20, 2018 9:13 am

FWIW I'm finding the same results.
I disabled a whole list of weak ciphers using:

zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>

and restarted mailboxd with:
zmmailboxdctl restart

Qualys SSL test still sees the exact same list of ciphers as before.
Also TLS1.0 is accepted. Since that is now deprecated by the PCI council I'd like to remove that too.
Any hints?

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 32 guests