zmdhparam: ERROR: no zimbraSSLDHParam in openssl

davidkillingsworth · Post by **davidkillingsworth** » Thu Apr 29, 2021 4:15 pm

I am running an older server that has been upgraded a few times.

It is fully patched with the following:

Ubuntu 18.04.5 LTS
Release 8.8.15.GA.3829.UBUNTU14.64 UBUNTU18_64 FOSS edition, Patch 8.8.15_P21.

I run this command as seen in this link:
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

Code: Select all

zmdhparam set -new 2048

It start ok, but then errors out:

Code: Select all

zimbra@zimbra:~$ zmdhparam set -new 2048
Generating DH parameters, 2048 bit long safe prime, generator 2
This is going to take a long time
.............................................................................+............................................................+......................................................................................................................................................................................................................................................................+.................................................................................................................................................+................................+...................................................................................................................................................................................................+.............................................+.....................................................+................................................+.....................................................................................................................................................................................................................+.............................................+.................................+........+.........................................+...............................................+..................+...................................................................+...................................................................................+........................................................................................................................................................+......................................................................................................+..........................................+.............+....................+...............................................................+............................................................................................................................................+.........................+......................................................................................................................................................+...............................................................................................................+.........................................................................................................+.......................................................+.......................................+......................................................................+...................+..........................................................................+.....................+......................................................+........................................................................................................................+..................................................................................+..................................................................................................+.............+...+...................................................................................................+..............+............................+.............................................................................................................................................................................................................................+.+.......................................................................................+..............................................................+......+...........................................+.................................................................................................+...............................+...........+...............................................................+...................+...............................................................................................................................................................................+..........................................................................................................................................................+........................+.............................................................................................................................................+......................................................................................+.....................................................+...............................................................................................................................................................+..........................................................................................................................................................................+......................................................+.......................................+..............+.......................................................................................................................................................................................................................................................................................................................................................................++*++*++*++*
zmdhparam: ERROR: no zimbraSSLDHParam in openssl

I am trying to run this because Qualys SSL Labs security test says that my server support weak Diffie-Hellman (DH) key exchange parameters.

Code: Select all

Uses common DH primes 	Yes   Replace with custom DH parameters if possible (more info)

Google doesn't say much about the error

Code: Select all

zmdhparam: ERROR: no zimbraSSLDHParam in openssl

Anyone here have any ideas?

JDunphy · Post by **JDunphy** » Thu Apr 29, 2021 5:22 pm

Looks like a bug to me. It appears it is failing to update ldap for the purpose to notify zmconfigd???

Code: Select all

% zmdhparam -help
You can also add debug mode and run it:
% zmdhparam set -new 2048 -debug 10

I tried to force the entry with zmprov and got some message that ZimbraSSLDHParam modification not allowed.

zmdhparam -help wrote: Once zimbraSSLDHParam is updated, zmconfigd is responsible for watching
for the changed value and then subsequently writing out the new value to
*/opt/zimbra/conf/dhparam.pem*.

Testing this on a RHEL8 8.8.15P21 so it is present everywhere I think.

The only workaround I can think of is to generate the file directly as nginx is loading /opt/zimbra/conf/dhparam.pem and that error results because they want zmconfigd to write /opt/zimbra/conf/dhparam.pem.zcs to /opt/zimbra/conf/dhparam.pem if I understand what they are trying to do.

Code: Select all

grep -R dhparam.pem *
nginx/includes/nginx.conf.web.admin:    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.web.sso.default:    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.mail.imaps.default:    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.mail.pop3.default:    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.web.https.default:#    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.web.https.default:    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.web.admin.default:    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.web.https:    ssl_dhparam             /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.mail.imap.default:    ssl_dhparam         /opt/zimbra/conf/dhparam.pem;
nginx/includes/nginx.conf.mail.pop3s.default:    ssl_dhparam     /opt/zimbra/conf/dhparam.pem;

Here is the old way of doing it:

Code: Select all

# su - zimbra
% cd /opt/zimbra/conf
% openssl dhparam -out dhparam.pem 2048
% chown zimbra:zimbra dhparam.pem

All guesses by me so maybe someone else has a solution to why this is happening.

Jim

L. Mark Stone · Post by **L. Mark Stone** » Fri Apr 30, 2021 1:25 pm

I've seen this also and believe it's a bug too.

Jim, please note if you do the workaround, that it's singular /opt/zimbra/conf/dhparam.pem, not plural dhparams.pem (at least on the 8.8.15 systems I've checked). The plural I think came from here: https://wiki.zimbra.com/wiki/Security/Collab/logjam, but that's way old.

To the OP, David I would suggest opening a Support Case with Zimbra to report this as a bug. The wiki article you quote is Certified, so Zimbra should be able to do what's suggested to do in the article.

Hope that helps,
Mark

JDunphy · Post by **JDunphy** » Fri Apr 30, 2021 1:30 pm

Thanks Mark,

Corrected. Yes it was a cut/paste from that wiki.

Jim

Zimbra Forums

zmdhparam: ERROR: no zimbraSSLDHParam in openssl

zmdhparam: ERROR: no zimbraSSLDHParam in openssl

Re: zmdhparam: ERROR: no zimbraSSLDHParam in openssl

Re: zmdhparam: ERROR: no zimbraSSLDHParam in openssl

Re: zmdhparam: ERROR: no zimbraSSLDHParam in openssl