Page 1 of 2

The server does not prefer cipher suites

Posted: Thu Jan 02, 2020 8:17 am
by spinx
Hi,

I have zimbra open source 8.8.15 and i have run security test and it shows "The server does not prefer cipher suites. We advise to enable this feature in order to enforce usage of the best cipher suites selected."

Can some one help me how to resolve this?

Regards

Re: The server does not prefer cipher suites

Posted: Fri Jan 03, 2020 7:55 pm
by spinx
does anyone have any idea ?

Re: The server does not prefer cipher suites

Posted: Fri Jan 03, 2020 8:02 pm
by phoenix
Which 'security test' was this? Have you read the wiki article(s) on ciphers?

Re: The server does not prefer cipher suites

Posted: Fri Jan 03, 2020 8:27 pm
by spinx
Hi, there was a few security scans and all shows that i dont have cipher order configured.

I have tried everything :)

Re: The server does not prefer cipher suites

Posted: Fri Jan 03, 2020 8:31 pm
by phoenix
How about telling me which ones so I can verify them, you also didn't answer if you've read the wiki articles on ciphers

Re: The server does not prefer cipher suites

Posted: Fri Jan 03, 2020 8:33 pm
by spinx
https://www.immuniweb.com/ssl/

Yes i have read everythin, i am facing this problem for few days and have read everything that is about cipher in wiki and google

Re: The server does not prefer cipher suites

Posted: Sat Jan 04, 2020 5:53 am
by phoenix
Well, I've run that test and I don't see that message anywhere. I'd suggest you use the articles here:

https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
https://www.huuphan.com/2017/07/zimbra-qualys-a.html

Make the required changes and try the test again.

Re: The server does not prefer cipher suites

Posted: Sat Jan 04, 2020 9:38 am
by spinx
Hi,
The problem is on port 25, on this port it shows this problem not on 443.

regards

Re: The server does not prefer cipher suites

Posted: Sat Jan 04, 2020 10:57 am
by phoenix
spinx wrote:The problem is on port 25, on this port it shows this problem not on 443.
You should have mentioned that to start with, a full description of a problem and your attempts to fix it go a long way to an earlier resolution.

It's my understanding (although I'm no expert) is that this feature requires:

Code: Select all

 tls_preempt_cipherlist = yes


That is a feature of SSLv3: http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist and as SSLv2 & SSLv3 are deprecated in Zimbra (and in general) and you can exclude those from being used that you're not able to make that change. Also, what you see on 'test sites' isn't necessarily best practice. I'll wait to be corrected on any errors in my comments by someone more knowledgable than me.

Re: The server does not prefer cipher suites

Posted: Sat Jan 04, 2020 5:46 pm
by neutronscott
This is a good change. MTA encryption is usually opportunistic and will use plaintext so it's not a huge deal. That is a good tool though. Nessus did not find this on 25 for me.
The feature is since ssl3 so is still correct for tls.
Again, not much gain if you still support the worse ciphersuite of them all, NULL :lol: but that's the evil of email.