Hello Community,
Our Zimbra ZCS (Release 8.8.10 GA_3039.RHEL7_64 with Patch 8.8.10_P1) has been scanned and several security issues have been detected.
Investigating wiki-resousers and forums in Internet didn't help to find answers.
Can anyone share their ways of solving the below mentioned problems?
There are issues:
1. Successfully connected over TLSv1.0 and TLSv1.1 (on ports 25,443,587,993). Recommended TLSv1.2.
2. The server is configured to support ciphers known as static key ciphers. These ciphers don't support "Forward Secrecy".
Negotiated with the following insecure cipher suites: TLS 1.0 and TLS 1.1 ciphers on ports 443,993:
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS 1.1 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHATLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHATLS 1.2 ciphers:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_RSA_WITH_AES_128_CBC_SHA256
TLS_RSA_WITH_AES_128_GCM_SHA256
TLS_RSA_WITH_AES_256_CBC_SHA
TLS_RSA_WITH_AES_256_CBC_SHA256
TLS_RSA_WITH_AES_256_GCM_SHA384
TLS_RSA_WITH_CAMELLIA_128_CBC_SHA
TLS_RSA_WITH_CAMELLIA_256_CBC_SHA
The recommended cipher configuration:
ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:
ECDHE-ECDSAAES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:
ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:
ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:
DHE-RSAAES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
3. The server on ports 443 and 993 is using a common or default prime number as a parameter during the Diffie-Hellman key exchange.
To use a randomly generated Diffie-Hellman group it's recommend to generate a 2048-bit group.
The simplest way of generating a new group is to use OpenSSL:
openssl dhparam -out dhparam.pem 2048
Changing of /opt/zimbra/conf/dhparam.pem does not affect because this file is replaced by Zimbra after rebooting.
I will appreciate any help.
PS Nexpose Rapid 7 was used as scanner
Best regards,
Nik
ZCS 8.8.10 scanned by Nexpose
- DualBoot
- Elite member
- Posts: 1326
- Joined: Mon Apr 18, 2016 8:18 pm
- Location: France - Earth
- ZCS/ZD Version: ZCS FLOSS - 8.8.15 Mutli servers
- Contact:
Re: ZCS 8.8.10 scanned by Nexpose
Hello,
for DH you need to use Zimbra internal command :
zmdhparam
For the cipher suite to disable, you should read the Zimbra wiki.
Regards,
for DH you need to use Zimbra internal command :
zmdhparam
For the cipher suite to disable, you should read the Zimbra wiki.
Regards,
-
- Advanced member
- Posts: 50
- Joined: Wed Aug 08, 2018 8:44 am
Re: ZCS 8.8.10 scanned by Nexpose
Hello,
thanks for the zmdhparam command
Nik
Hello,
for DH you need to use Zimbra internal command :
zmdhparam
For the cipher suite to disable, you should read the Zimbra wiki.
Regards,[/quote]
thanks for the zmdhparam command
Nik
Hello,
for DH you need to use Zimbra internal command :
zmdhparam
For the cipher suite to disable, you should read the Zimbra wiki.
Regards,[/quote]
Re: ZCS 8.8.10 scanned by Nexpose
I have read this manual already before my post was written.
Unfortunately it not has how:
- to list of cipher suites used by ZCS at this moment (I'm not sure it is the output of the next command - openssl ciphers -v 'ALL:eNULL')
- to disable TLSv1.0 and TLSv1.1
In any case thanks for reply
Best redards,
nik
You can start by checking https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test and https://wiki.zimbra.com/wiki/Cipher_suites[/quote]
Unfortunately it not has how:
- to list of cipher suites used by ZCS at this moment (I'm not sure it is the output of the next command - openssl ciphers -v 'ALL:eNULL')
- to disable TLSv1.0 and TLSv1.1
In any case thanks for reply
Best redards,
nik
You can start by checking https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test and https://wiki.zimbra.com/wiki/Cipher_suites[/quote]