ZCS 8.8.10 scanned by Nexpose

[Nik]

Hello Community,
Our Zimbra ZCS (Release 8.8.10 GA_3039.RHEL7_64 with Patch 8.8.10_P1) has been scanned and several security issues have been detected.
Investigating wiki-resousers and forums in Internet didn't help to find answers.
Can anyone share their ways of solving the below mentioned problems?
There are issues:
1. Successfully connected over TLSv1.0 and TLSv1.1 (on ports 25,443,587,993). Recommended TLSv1.2.
2. The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy".
Negotiated with the following insecure cipher suites: TLS 1.0 and TLS 1.1 ciphers on ports 443,993:
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS 1.1 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA

The recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSAAES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSAAES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
3. The server on ports 443 and 993 is using a common or default prime number as a parameter during the Diffie-Hellman key exchange.
To use a randomly generated Diffie-Hellman group it's recommend to generate a 2048-bit group.
The simplest way of generating a new group is to use OpenSSL:
openssl dhparam -out dhparam.pem 2048
Changing of /opt/zimbra/conf/dhparam.pem does not affect because this file is replaced by Zimbra after rebooting.

I will appreciate any help.

PS Nexpose Rapid 7 was used as scanner

Best regards,
Nik

[DualBoot]

Hello,

for DH you need to use Zimbra internal command :
zmdhparam

For the cipher suite to disable, you should read the Zimbra wiki.

Regards,

[andrey.ivanov]

You can start by checking https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test and https://wiki.zimbra.com/wiki/Cipher_suites

[Nik]

Hello,
thanks for the zmdhparam command

Nik

Hello,

for DH you need to use Zimbra internal command :
zmdhparam

For the cipher suite to disable, you should read the Zimbra wiki.

Regards,[/quote]

[Nik]

I have read this manual already before my post was written.
Unfortunately it not has how:
- to list of cipher suites used by ZCS at this moment (I'm not sure it is the output of the next command - openssl ciphers -v 'ALL:eNULL')
- to disable TLSv1.0 and TLSv1.1

In any case thanks for reply

Best redards,
nik

You can start by checking https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test and https://wiki.zimbra.com/wiki/Cipher_suites[/quote]