- Zimbra Collaboration 8.6 Patch 9 now available (includes fix for CVE-2017-8802). Read the announcement.
- Zimbra Collaboration 8.8.7 + Zimbra Connector for Outlook 8.8.7 are available.. Read the announcement.
- Are you a Zimbra Developer? You can find some interesting stuff in our Official GitHub: https://github.com/Zimbra and check the Community Projects too: https://github.com/Zimbra-Community/
We have a ton of work to improve, so I don't think we have a stable Beta to share with the public, but I'm trying to have a Beta like we had in the past.
Keep in touch.
Thanks for creating this article! I've ran into some problems with SSL test however, and I keep only receiving a C Grade.
My system: Zimbra 8.0.9 on CentOS 6.5, using Zimbra Proxy
I've gone through all of the steps in the wiki article, but it looks like the zmprov commands are not disabling all of the insecure ciphers.
Based on your other posts, I think I've managed to find the necessary commands to get an A+ on Zimbra 8.0.9:
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
su - zimbra
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Hope this helps!
I have redone the steps listed here:
But the SSL test still shows that SSLv3 is enabled.
I can confirm that the updated Nginx files are on the server:
$ /opt/zimbra/conf/nginx/includes$ cat * | grep ssl_prot
$ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Any ideas what may be causing this?
I can't get the A+ in 8.0.9, The proxy didn't take properly the dhparams file in 2048bits. Also to disable the Poodle, I've needed to follow the nginx, and the jetty steps, then I had Poodle completly disabled.
This is my results in 8.0.9, with all the steps of the SSL Labs Wiki that I've wrote for 8.0.9 using Proxy:
Let me know if you are able to obtain the A+, as per my previous comment, I'm not able to fix the TLS_FALLBACK_SCSV:
I have gone through these steps a couple of times with zimbra 8.6 P2 and still cannot get better than a B rating.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
Uses common DH prime Yes Replace with custom DH parameters if possible (more info)
Any suggestions as to what could be wrong?
Thought: zimbra is running on a VM - Does openssl look at hardware signatures when generating the 2048 key? Could the common signature of VM emulated hardware be causing an issue?
Are you running Proxy or not? I will test the steps using 8.5P2. What steps did you follow? I assume the steps for your environment with or without proxy.
Where does web.ssl.protocols get set?
This is a system that has been upgraded from 6.0.4 -> almost every version up to -> 7.2.6 -> 8.5 using AJCody notes -> 8.5.1 -> 8.6 -> 8.6 P1 -> 8.6 P2
Who is online
Users browsing this forum: MSN [Bot] and 6 guests