[SOLVED] Fix Zimbra SSL weak cipher

[shan]

Our security scanner reported Zimbra severs support weak SSL cipher. I was trying to fix it by
adding additional cipher suites to zimbraSSLExcludeCipherSuites attribute.
It looks like this:

zmprov mcf zimbraSSLExcludeCipherSuites "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA S
SL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WI
TH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA DES-CBC3-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-MD5 EXP-ADH-
DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP
-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5"

(all in one line).

I also tried use "SSLv2 LOW EXP" cipher names, but none of these seem taken effect, except the default ones that come with the Zimbra global configuration. I indeed flushed cache, and even restarted server.

What exactly the format I should use for the cipher names?

Xueshan

[mmorse]

Xueshan's issue with this became Bug 30691 - cipher suites configuration ignored fixed in 5.0.10
Workaround is to change zimbraSSLExcludeCipherSuites to zimbraSSLExcludeCipherSuitesXML in jetty.xml.in
Marking thread solved.

[GCamp]

I am having the same problem with a security scanner reporting that our Zimbra server supports a weak SSL cipher.

The "fix" for shan's problem does not seem to apply to v6.0.6.
I find the line:

zimbraSSLExcludeCipherSuites=SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

in the file jetty.properties.in not in jetty.xml.in.

Is the fix the same but only in a different file?

[shan]

Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

Here is my global configuration:
zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

It seems you missed these two:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA

If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Then do 'zmmailboxd restart'

Xueshan

[GCamp]

Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

Here is my global configuration:
zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

It seems you missed these two:

SSL_RSA_EXPORT_WITH_RC4_40_MD5
SSL_RSA_WITH_DES_CBC_SHA

If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Then do 'zmmailboxd restart'

Xueshan

Xueshan,

Thanks for the quick reply.

A clarification please. In your list zmprov commands you have:
zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Shouldn't this be:
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

How do I use zmprov to remove the wrong entry?

Here is my current zimbraSSLExcludeCipherSuites listing:

zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

Is there any potential problems that could be caused by the 5 not being present?

Greg

[shan]

Xueshan,

Thanks for the quick reply.

A clarification please. In your list zmprov commands you have:
zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

Shouldn't this be:
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

How do I use zmprov to remove the wrong entry?

Here is my current zimbraSSLExcludeCipherSuites listing:

zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

Is there any potential problems that could be caused by the 5 not being present?

Greg

Greg,

Sorry about the mistake in my previous reply. I was fiddling with the formatting and cut-pasting in a very small window.

There there should be a space between key and value, as in all zmprov commands that deal with modification.

There is no problem with the wrong entry in this case - it's just a none existing SSL suite that you want to exclude, the net result is no harm, but you can remove it by adding minus sign '-' in the attribute that you want to remove:

zmprov mcf -zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_R_C4_40_MD