DH 1024 bits "Weak" on Qualys test.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Robstarusa
Posts: 14
Joined: Sat Sep 13, 2014 1:42 am

DH 1024 bits "Weak" on Qualys test.

Postby Robstarusa » Wed May 24, 2017 10:51 pm

I just upgraded from Zimbra 8.6.0 to 8.7.9

I've tried this article:
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

and run (as user zimbra)

Code: Select all

zmdhparam set -new 2048


and then ran "zmproxyctl restart" and I still have the same issue of "weak DH keys" according to Qualys SSL test.

I've also edited "/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template" and "/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template" replacing:

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             ${web.ssl.dhparam.file};

with

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             /opt/zimbra/conf/dhparam.pem

and run zmproxyctl restart and I still have the same issue!

I can see /opt/zimbra/conf/dhparam.pem has the date/time modification stamp from when I ran the zmdhparam command from above, but it seems it is not being picked up.
I can also see that zmdhparam modifies zimbraSSLDHParam by running "zmprov gcf zimbraSSLDHParam"

Any idea why running the commands from the article above doesn't seem to work on my install?

Thank you,

Robert


liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 916
Joined: Sat Sep 13, 2014 12:47 am

Re: DH 1024 bits "Weak" on Qualys test.

Postby liverpoolfcfan » Mon May 29, 2017 9:16 am

Silly point perhaps but, easily overlooked.... Did you select the "clear cache" link under your server name in order to do the retest? If you don't the tester just returns the most recent results again.
Robstarusa
Posts: 14
Joined: Sat Sep 13, 2014 1:42 am

Re: DH 1024 bits "Weak" on Qualys test.

Postby Robstarusa » Tue Jun 06, 2017 1:56 am

Yep I tried "clear cache" when i retested.

Anyone else have ideas? Someone MUST have run into this besides me. Are there any updates pending for the article I mentioned in my original post?
mmruzik
Posts: 3
Joined: Sat Sep 13, 2014 2:43 am

Re: DH 1024 bits "Weak" on Qualys test.

Postby mmruzik » Sun Aug 20, 2017 3:49 pm

I'm seeing the same issues, even clearing caches, and using completely different SSL test sites, the DH being reported is STILL 1024 bits.

I have changed the Dh to 2048 bits, and restarted all services, but there are not changes.
mmruzik
Posts: 3
Joined: Sat Sep 13, 2014 2:43 am

Re: DH 1024 bits "Weak" on Qualys test.

Postby mmruzik » Sun Aug 20, 2017 5:12 pm

Oh, Also noticed that

the dhparams.pem, dhparams.pem.zcs AND the output from: zmprov gcf zimbraSSLDHParam are all different. Changing the two files around did not seem to alter the key, I might try setting a new parameter through zmprov. Since running the zmdhparam command, even after restarting the services that parameter does not change in zmprov.

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 15 guests