DH 1024 bits "Weak" on Qualys test.

[Robstarusa]

Code: Select all

I just upgraded from Zimbra 8.6.0 to 8.7.9

I've tried this article:
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

and run (as user zimbra)

Code: Select all

zmdhparam set -new 2048

and then ran "zmproxyctl restart" and I still have the same issue of "weak DH keys" according to Qualys SSL test.

I've also edited "/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template" and "/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template" replacing:

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             ${web.ssl.dhparam.file};

with

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             /opt/zimbra/conf/dhparam.pem

and run zmproxyctl restart and I still have the same issue!

I can see /opt/zimbra/conf/dhparam.pem has the date/time modification stamp from when I ran the zmdhparam command from above, but it seems it is not being picked up.
I can also see that zmdhparam modifies zimbraSSLDHParam by running "zmprov gcf zimbraSSLDHParam"

Any idea why running the commands from the article above doesn't seem to work on my install?

Thank you,

Robert

[liverpoolfcfan]

Silly point perhaps but, easily overlooked.... Did you select the "clear cache" link under your server name in order to do the retest? If you don't the tester just returns the most recent results again.

[Robstarusa]

Yep I tried "clear cache" when i retested.

Anyone else have ideas? Someone MUST have run into this besides me. Are there any updates pending for the article I mentioned in my original post?

[mmruzik]

I'm seeing the same issues, even clearing caches, and using completely different SSL test sites, the DH being reported is STILL 1024 bits.

I have changed the Dh to 2048 bits, and restarted all services, but there are not changes.

[mmruzik]

Oh, Also noticed that

the dhparams.pem, dhparams.pem.zcs AND the output from: zmprov gcf zimbraSSLDHParam are all different. Changing the two files around did not seem to alter the key, I might try setting a new parameter through zmprov. Since running the zmdhparam command, even after restarting the services that parameter does not change in zmprov.