Page 1 of 1

DH 1024 bits "Weak" on Qualys test.

Posted: Wed May 24, 2017 10:51 pm
by Robstarusa
I just upgraded from Zimbra 8.6.0 to 8.7.9

I've tried this article:
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

and run (as user zimbra)

Code: Select all

zmdhparam set -new 2048


and then ran "zmproxyctl restart" and I still have the same issue of "weak DH keys" according to Qualys SSL test.

I've also edited "/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template" and "/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template" replacing:

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             ${web.ssl.dhparam.file};

with

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             /opt/zimbra/conf/dhparam.pem

and run zmproxyctl restart and I still have the same issue!

I can see /opt/zimbra/conf/dhparam.pem has the date/time modification stamp from when I ran the zmdhparam command from above, but it seems it is not being picked up.
I can also see that zmdhparam modifies zimbraSSLDHParam by running "zmprov gcf zimbraSSLDHParam"

Any idea why running the commands from the article above doesn't seem to work on my install?

Thank you,

Robert

Re: DH 1024 bits "Weak" on Qualys test.

Posted: Mon May 29, 2017 9:16 am
by liverpoolfcfan
Silly point perhaps but, easily overlooked.... Did you select the "clear cache" link under your server name in order to do the retest? If you don't the tester just returns the most recent results again.

Re: DH 1024 bits "Weak" on Qualys test.

Posted: Tue Jun 06, 2017 1:56 am
by Robstarusa
Yep I tried "clear cache" when i retested.

Anyone else have ideas? Someone MUST have run into this besides me. Are there any updates pending for the article I mentioned in my original post?

Re: DH 1024 bits "Weak" on Qualys test.

Posted: Sun Aug 20, 2017 3:49 pm
by mmruzik
I'm seeing the same issues, even clearing caches, and using completely different SSL test sites, the DH being reported is STILL 1024 bits.

I have changed the Dh to 2048 bits, and restarted all services, but there are not changes.

Re: DH 1024 bits "Weak" on Qualys test.

Posted: Sun Aug 20, 2017 5:12 pm
by mmruzik
Oh, Also noticed that

the dhparams.pem, dhparams.pem.zcs AND the output from: zmprov gcf zimbraSSLDHParam are all different. Changing the two files around did not seem to alter the key, I might try setting a new parameter through zmprov. Since running the zmdhparam command, even after restarting the services that parameter does not change in zmprov.