Hi Everyone!
need your help..
I recently upgraded to Release 8.8.8_GA_2009.RHEL7_64_20180322150747 RHEL7_64 FOSS edition.
server didn't passed on qualys scanning..
I already remove this weak cipher using this guide https://wiki.zimbra.com/wiki/Cipher_suites but still visible in ssllabs.com
TLS_RSA_WITH_AES_128_GCM_SHA256 (0x9c) WEAK 128
TLS_RSA_WITH_AES_256_GCM_SHA384 (0x9d) WEAK 256
TLS_RSA_WITH_AES_128_CBC_SHA256 (0x3c) WEAK 128
TLS_RSA_WITH_AES_128_CBC_SHA (0x2f) WEAK 128
TLS_RSA_WITH_AES_256_CBC_SHA256 (0x3d) WEAK 256
TLS_RSA_WITH_AES_256_CBC_SHA (0x35) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA (0x88) DH 3072 bits FS 256
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA (0x84) WEAK 256
TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA (0x45) DH 3072 bits FS 128
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA (0x41) WEAK
===============================================================================
I set this to high by running "zmprov mcf zimbraMtaSmtpTlsMandatoryCiphers high" then restart zimbra/ rebooted servers as well but it still appears as medium
zimbraMtaSmtpTlsMandatoryCiphers
Value for postconf smtp_tls_mandatory_ciphers
type : enum
value : export,low,medium,high,null
callback :
immutable : false
cardinality : single
requiredIn :
optionalIn : globalConfig,server
flags : serverInherited
defaults : medium
min :
max :
id : 1514
requiresRestart :
since : 8.5.0
deprecatedSince :
=========================================================================
For TLS
https://wiki.zimbra.com/wiki/Postfix_PC ... nce_in_ZCS
SSL/TLS Server supports TLSv1.0 - port 25/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 465/tcp over SSL
Server supports TLSv1.0 SSL/TLS Server supports TLSv1.0 port 587/tcp over SSL
Security Header Not Detected HTTP Security Header Not Detected port 443/tcp
Thnaks!
Need Help..How to disable Weak Cipher Suites and TLSv1.0
-
- Posts: 15
- Joined: Wed Jun 29, 2016 9:00 am
Re: Need Help..How to disable Weak Cipher Suites and TLSv1.0
FWIW I'm finding the same results.
I disabled a whole list of weak ciphers using:
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
and restarted mailboxd with:
zmmailboxdctl restart
Qualys SSL test still sees the exact same list of ciphers as before.
Also TLS1.0 is accepted. Since that is now deprecated by the PCI council I'd like to remove that too.
Any hints?
I disabled a whole list of weak ciphers using:
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
and restarted mailboxd with:
zmmailboxdctl restart
Qualys SSL test still sees the exact same list of ciphers as before.
Also TLS1.0 is accepted. Since that is now deprecated by the PCI council I'd like to remove that too.
Any hints?
-
- Posts: 37
- Joined: Sat Sep 13, 2014 1:49 am
- Location: Planet Earth
- ZCS/ZD Version: 8.8.12
- Contact:
Re: Need Help..How to disable Weak Cipher Suites and TLSv1.0
I know I am a little late to the party - assuming you have zmproxy installed - what worked for me was
zmprov modifyConfig zimbraReverseProxySSLCiphers '!AES128-SHA256:!AES128-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:!EXPORT:!DES:!PSK:!RC4:HIGH'
zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
zmdhparam set -new 2048
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmcontrol restart
zmprov modifyConfig zimbraReverseProxySSLCiphers '!AES128-SHA256:!AES128-SHA:!CAMELLIA256-SHA:!CAMELLIA128-SHA!AES256-SHA:!AES256-SHA256:!AES256-GCM-SHA384:!AES128-GCM-SHA256:!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:!EXPORT:!DES:!PSK:!RC4:HIGH'
zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
zmdhparam set -new 2048
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmcontrol restart