Problems with TLSv1 1.1 and Ciphers (Zimbra 8.8.15)

[AndyWe]

Hello,

I tried to secure my server a bit more and remove older protocols and ciphers and test it with ssllabs.com.
Unfortunately partly it does not work.

My steps:

Code: Select all

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
$ zmproxyctl restart
$ zmprov ms 'myhost' -zimbraMailboxdSSLProtocols TLSv1 
$ zmprov ms 'myhost' -zimbraMailboxdSSLProtocols TLSv1.1 
$ zmmailboxdctl restart

$ zmprov mcf zimbraMtaSmtpTlsProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1'  //works
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1,!TLSv1.1' //works
$ zmmtactl restart

$ zmdhparam set -new 3072
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

$ zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000" //works
$ zmcontrol restart

The commands I ran as zimbra user (is this ok?). The commands ran without error messages.
The MTA protocols seem ok, but in https TLSv1 an 1.1 and the old DH 1024 and some other weak ciphers are still enabled.

Is there anything else to do?

(Zimbra 8.8.15_GA_3980 on CentOS 7)

Thanks!

[liverpoolfcfan]

Can we assume you did click the "clear cache" link underneath your server name on ssllabs - otherwise it will simply show you your previous results.

What exactly do you mean when you say "Partly it does not work"

I just used the first three commands

Code: Select all

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
$ zmproxyctl restart

and that jumped the result from being capped at B to being A+

The results page now shows :-
Protocols
TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 No
TLS 1.0 No
SSL 3 No
SSL 2 No

[liverpoolfcfan]

Can you show the results of

Code: Select all

zmprov gcf zimbraSSLExcludeCipherSuites

In our case we have

Code: Select all

zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA

[AndyWe]

Can we assume you did click the "clear cache" link underneath your server name on ssllabs - otherwise it will simply show you your previous results.

Yes, of course

What exactly do you mean when you say "Partly it does not work"

"Partly" means that the lines marked "// works" show an effect, the others do not

I tried again with

Code: Select all

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1.1
$ zmproxyctl restart

but result is B

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

[AndyWe]

Can you show the results of ...

Code: Select all

[zimbra@serverXY ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL3_RSA_RC4_128_MD5
zimbraSSLExcludeCipherSuites: SSL3_RSA_RC4_128_SHA
zimbraSSLExcludeCipherSuites: SSL3_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS1_RSA_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS1_RSA_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_MD5
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_RC4_128_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA

[liverpoolfcfan]

but result is B

TLS 1.3 No
TLS 1.2 Yes
TLS 1.1 Yes
TLS 1.0 Yes
SSL 3 No
SSL 2 No

If you did those steps and it still shows that 1.0 and 1.1 are available, it would suggest the connection is not hitting the proxy, or is hitting another proxy.

Can you verify that the Proxy is enabled, either (a) enabled in the Golbal settings and NOT overridden in the server settings, or (b) is disabled in the global settings and IS overridden in the Server Settings

If those check out OK, then is there a different zimbra box you could be connecting to that hasn't been updated, or some other proxy in front of zimbra's nginx?

The only other thing I can think of is if there were any spurious characters in your protocol names then the "-" might not work.
What do you get as the response to

Code: Select all

 zmprov gacf | grep -i zimbraReverseProxySSLProtocol
zimbraReverseProxySSLProtocols: TLSv1.2

You should only get the single one listed

[AndyWe]

What do you get as the response to ..

zmprov gacf | grep -i zimbraReverseProxySSLProtocol
zimbraReverseProxySSLProtocols: TLSv1.2

I will check the other things ..

[fiddletwix]

Had a very similar issue.

I checked my current settings

Code: Select all

$ zmprov gs `zmhostname` | grep zimbraMailboxdSSLProtocols
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2

So I tried removing TLSv1 and TLSv1.1

Code: Select all

$ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1
$ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1.1

but no luck

Code: Select all

$ zmprov gs `zmhostname` | grep zimbraMailboxdSSLProtocols
zimbraMailboxdSSLProtocols: TLSv1
zimbraMailboxdSSLProtocols: TLSv1.1
zimbraMailboxdSSLProtocols: TLSv1.2

Then I just set the value for zimbraMailboxdSSLProtocols

Code: Select all

$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2

and voila!

Code: Select all

$ zmprov gs `zmhostname` | grep zimbraMailboxdSSLProtocols
zimbraMailboxdSSLProtocols: TLSv1.2