Hi,
Last few weeks I'm trying to improve the security of my Zimbra Collab server. I use open source edition. Release 8.7.2.GA.1736.UBUNTU14.64 UBUNTU14_64 FOSS edition but this is with the 8.7.3 release.
If I test with:
https://www.htbridge.com/ssl -- result is an F
https://www.ssllabs.com/ssltest -- result is an B
How do I get better security?
Weak DH encryption
Forward secrecy - WEAK
Uses common DH primes - I created new ones 3072
The server's Diffie-Hellman parameter is too small. (Non-compliant with NIST, HIPAA and PCI DSS)
The server supports elliptic curves that are considered weak. (Non-compliant with NIST, HIPAA and PCI DSS)
Also this article doesn't get me more secure.
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
Disabling the weak ciphers can create problem with some applications I found on google. I didn't disable:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK
Enable Strict Transport Security (HSTS) & Session resumption (caching)
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmcontrol restart
Result of test website is HSTS is not active....?
Also a set of guidelines:
https://wiki.zimbra.com/wiki/Security/Collab/87
Also I tried to improve the NGINX config files as indicated on several sites, incl Zimbra.
Please help and advice!
8.7.3 and weak DH security
-
- Advanced member
- Posts: 85
- Joined: Sat Sep 13, 2014 3:55 am
- Location: The Netherlands
- ZCS/ZD Version: V10 FOSS Intalio on Ubuntu20.04