DH 1024 bits "Weak" on Qualys test.

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
Robstarusa
Posts: 14
Joined: Sat Sep 13, 2014 1:42 am

DH 1024 bits "Weak" on Qualys test.

Post by Robstarusa »

I just upgraded from Zimbra 8.6.0 to 8.7.9

I've tried this article:
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test

and run (as user zimbra)

Code: Select all

zmdhparam set -new 2048
and then ran "zmproxyctl restart" and I still have the same issue of "weak DH keys" according to Qualys SSL test.

I've also edited "/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template" and "/opt/zimbra/conf/nginx/templates/nginx.conf.web.http.template" replacing:

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             ${web.ssl.dhparam.file};
with

Code: Select all

    ${web.ssl.dhparam.enabled}ssl_dhparam             /opt/zimbra/conf/dhparam.pem
and run zmproxyctl restart and I still have the same issue!

I can see /opt/zimbra/conf/dhparam.pem has the date/time modification stamp from when I ran the zmdhparam command from above, but it seems it is not being picked up.
I can also see that zmdhparam modifies zimbraSSLDHParam by running "zmprov gcf zimbraSSLDHParam"

Any idea why running the commands from the article above doesn't seem to work on my install?

Thank you,

Robert
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: DH 1024 bits "Weak" on Qualys test.

Post by liverpoolfcfan »

Silly point perhaps but, easily overlooked.... Did you select the "clear cache" link under your server name in order to do the retest? If you don't the tester just returns the most recent results again.
Robstarusa
Posts: 14
Joined: Sat Sep 13, 2014 1:42 am

Re: DH 1024 bits "Weak" on Qualys test.

Post by Robstarusa »

Yep I tried "clear cache" when i retested.

Anyone else have ideas? Someone MUST have run into this besides me. Are there any updates pending for the article I mentioned in my original post?
mmruzik
Posts: 3
Joined: Sat Sep 13, 2014 2:43 am

Re: DH 1024 bits "Weak" on Qualys test.

Post by mmruzik »

I'm seeing the same issues, even clearing caches, and using completely different SSL test sites, the DH being reported is STILL 1024 bits.

I have changed the Dh to 2048 bits, and restarted all services, but there are not changes.
mmruzik
Posts: 3
Joined: Sat Sep 13, 2014 2:43 am

Re: DH 1024 bits "Weak" on Qualys test.

Post by mmruzik »

Oh, Also noticed that

the dhparams.pem, dhparams.pem.zcs AND the output from: zmprov gcf zimbraSSLDHParam are all different. Changing the two files around did not seem to alter the key, I might try setting a new parameter through zmprov. Since running the zmdhparam command, even after restarting the services that parameter does not change in zmprov.
Post Reply