Cipher suite problem/advice

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Martinwiertz
Advanced member
Advanced member
Posts: 85
Joined: Sat Sep 13, 2014 3:55 am
Location: The Netherlands
ZCS/ZD Version: V10 FOSS Intalio on Ubuntu20.04

Cipher suite problem/advice

Post by Martinwiertz »

Hi guys,

Tonight I installed the latest patches on my server. Zimbra FOSS v9.0 P13. Afterwards I recieved a error on the proxy service.

Starting proxy...nginx: [emerg] SSL_CTX_set_cipher_list("!AES256-SHA256:!ECDHE-ARIA256-GCM-SHA384:!CAMELLIA256-SHA256:!ARIA128-GCM-SHA256:!AES256-GCM-SHA384:!AES128-SHA:!AES128-SHA256:!CAMELLIA128-SHA256:!CAMELLIA256-SHA:!CAMELLIA128-SHA:!AES128-CCM:!AES256-CCM:!DHE-RSA-ARIA128-GCM-SHA256:!ARIA256-GCM-SHA384:!AES256-SHA:!DHE-RSA-ARIA256-GCM-SHA384:!AES128-GCM-SHA256:!ECDHE-ARIA128-GCM-SHA256") failed (SSL: error:1410D0B9:SSL routines:SSL_CTX_set_cipher_list:no cipher match) failed.

Last week I tried to disable weak/old cipher suites. After running the commands to disable all was well. Access via HTTPS and IMAP was fine. I disabled the ciphers in the attached file.
After installing the P13 and other files presented on April 3th the proxy service didn't work anymore.

Via the article below I got it working again.
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

I would like to tune some aspects of Zimbra:
- Based on a goverment securitytest-site (like Qualys) I see 18 Cipher to be phased out and 4 ciphers that are renderered In adequate. -- attachement
- Also in setting up the connection between client and server the weak ciphers are presented first and later stronger cipher (cipher sequence) - (Should be --> first negotion with Good ciphers, then Adequate and if nothing works Unadequate) - currently AES128-CCM8/CCM is first
- Also advice to phase out - ffdhe2048 (RFC 7919)

Do you agree with this advice?
Does Zimbra provide this cipher optimisation in near future?
What are the steps to optimise the security of Zimbra server? - I am not an expert and forum articles are old regarding Cipher suite and optimisation

https://en.internet.nl/
Attachments
screenprint.png
screenprint.png (113.99 KiB) Viewed 3647 times
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: Cipher suite problem/advice

Post by liverpoolfcfan »

I followed the old Qualys A+ wiki article you referenced a long time ago. More recently to boost my score back up to A+ I did the following.

Have you followed the guidance to enable TLSv1.3?

I followed the guidance from the recent patch release notes to enable TLSv1.3, then removed the older SSLProtocols so only 1.3 and 1.2 are enabled

[zimbra@mail ~]$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
[zimbra@mail ~]$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
[zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1.3
zimbraReverseProxySSLProtocols: TLSv1.2

And then used the mozilla "intermediate compatability" list - https://wiki.mozilla.org/Security/Server_Side_TLS

I added !aNULL and !eNULL - not sure if they are still needed or not.

zmprov mcf zimbraReverseProxySSLCiphers 'TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:!aNULL:!eNULL'

This gives Qualys A+ with scores 100,100,90,90 - while only dropping support for IE11/WinPhone 8.1 and Safare 6/7/8
Martinwiertz
Advanced member
Advanced member
Posts: 85
Joined: Sat Sep 13, 2014 3:55 am
Location: The Netherlands
ZCS/ZD Version: V10 FOSS Intalio on Ubuntu20.04

Re: Cipher suite problem/advice

Post by Martinwiertz »

Thanks! I will check and try.
Post Reply