[SOLVED] Fix Zimbra SSL weak cipher

Printable View

08-06-2008, 03:05 PM
shan

[SOLVED] Fix Zimbra SSL weak cipher

Our security scanner reported Zimbra severs support weak SSL cipher. I was trying to fix it by
adding additional cipher suites to zimbraSSLExcludeCipherSuites attribute.
It looks like this:

zmprov mcf zimbraSSLExcludeCipherSuites "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA S
SL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WI
TH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA DES-CBC3-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-MD5 EXP-ADH-
DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP
-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5"

(all in one line).

I also tried use "SSLv2 LOW EXP" cipher names, but none of these seem taken effect, except the default ones that come with the Zimbra global configuration. I indeed flushed cache, and even restarted server.

What exactly the format I should use for the cipher names?

Xueshan
09-05-2008, 10:30 PM
mmorse

Xueshan's issue with this became Bug 30691 - cipher suites configuration ignored fixed in 5.0.10
Workaround is to change zimbraSSLExcludeCipherSuites to zimbraSSLExcludeCipherSuitesXML in jetty.xml.in
Marking thread solved.
06-11-2010, 09:09 AM
GCamp

Same problem but with v6.0.6

I am having the same problem with a security scanner reporting that our Zimbra server supports a weak SSL cipher.

The "fix" for shan's problem does not seem to apply to v6.0.6.
I find the line:

zimbraSSLExcludeCipherSuites=SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

in the file jetty.properties.in not in jetty.xml.in.

Is the fix the same but only in a different file?
06-11-2010, 12:30 PM
shan

Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

Here is my global configuration:
zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

It seems you missed these two:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA

If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Then do 'zmmailboxd restart'

Xueshan
06-12-2010, 08:44 AM
GCamp

Quote:

Originally Posted by shan

Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

Here is my global configuration:
zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

It seems you missed these two:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA

If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Then do 'zmmailboxd restart'

Xueshan

Xueshan,

Thanks for the quick reply.

A clarification please. In your list zmprov commands you have:
zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Shouldn't this be:
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

How do I use zmprov to remove the wrong entry?

Here is my current zimbraSSLExcludeCipherSuites listing:

zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

Is there any potential problems that could be caused by the 5 not being present?

Greg
06-12-2010, 10:15 AM
shan

Quote:

Originally Posted by GCamp

Xueshan,

Thanks for the quick reply.

A clarification please. In your list zmprov commands you have:
zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Shouldn't this be:
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

How do I use zmprov to remove the wrong entry?

Here is my current zimbraSSLExcludeCipherSuites listing:

zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

Is there any potential problems that could be caused by the 5 not being present?

Greg

Greg,

Sorry about the mistake in my previous reply. I was fiddling with the formatting and cut-pasting in a very small window.

There there should be a space between key and value, as in all zmprov commands that deal with modification.

There is no problem with the wrong entry in this case - it's just a none existing SSL suite that you want to exclude, the net result is no harm, but you can remove it by adding minus sign '-' in the attribute that you want to remove:

zmprov mcf -zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_R_C4_40_MD