Need Help..How to disable Weak Cipher Suites and TLSv1.0

[odiecoranes]

Hi Everyone!

need your help..
I recently upgraded to Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition.
server didn't passed on qualys scanning..



I already remove this weak cipher using this guide https://wiki.zimbra.com/wiki/Cipher_suites but still visible in ssllabs.com

TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK

===============================================================================

I set this to high by running "zmprov mcf zimbraMtaSmtpTlsMandatoryCiphers high" then restart zimbra/ rebooted servers as well but it still appears as medium

zimbraMtaSmtpTlsMandatoryCiphers
Value for postconf smtp_tls_mandatory_ciphers

type : enum
value : export,low,medium,high,null
callback :
immutable : false
cardinality : single
requiredIn :
optionalIn : globalConfig,server
flags : serverInherited
defaults : medium
min :
max :
id : 1514
requiresRestart :
since : 8.5.0
deprecatedSince :



=========================================================================
For TLS
https://wiki.zimbra.com/wiki/Postfix_PC ... nce_in_ZCS

SSL/TLS Server supports TLSv1.0 - port 25/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 465/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 587/tcp over SSL
Security Header Not Detected HTTP Security Header Not Detected port 443/tcp



Thnaks!

[FredKarno]

FWIW I'm finding the same results.
I disabled a whole list of weak ciphers using:

zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>

and restarted mailboxd with:
zmmailboxdctl restart

Qualys SSL test still sees the exact same list of ciphers as before.
Also TLS1.0 is accepted. Since that is now deprecated by the PCI council I'd like to remove that too.
Any hints?

[portscanner]

I know I am a little late to the party - assuming you have zmproxy installed - what worked for me was

zmprov modifyConfig zimbraReverseProxySSLCiphers '!AES128-SHA256:!AES128-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:!EXPORT:!DES:!PSK:!RC4:HIGH'

zmprov mcf -zimbraReverseProxySSLProtocols TLSv1

zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1

zmdhparam set -new 2048

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

zmcontrol restart