Results 1 to 6 of 6

Thread: [SOLVED] Fix Zimbra SSL weak cipher

  1. #1
    shan is offline Active Member
    Join Date
    Feb 2008
    Posts
    26
    Rep Power
    7

    Default [SOLVED] Fix Zimbra SSL weak cipher

    Our security scanner reported Zimbra severs support weak SSL cipher. I was trying to fix it by
    adding additional cipher suites to zimbraSSLExcludeCipherSuites attribute.
    It looks like this:

    zmprov mcf zimbraSSLExcludeCipherSuites "SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA S
    SL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WI
    TH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_WITH_DES_CBC_SHA DES-CBC3-MD5 RC2-CBC-MD5 RC4-MD5 DES-CBC-MD5 EXP-ADH-
    DES-CBC-SHA EXP-ADH-RC4-MD5 EXP-EDH-RSA-DES-CBC-SHA EXP-EDH-DSS-DES-CBC-SHA EXP
    -DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5"

    (all in one line).

    I also tried use "SSLv2 LOW EXP" cipher names, but none of these seem taken effect, except the default ones that come with the Zimbra global configuration. I indeed flushed cache, and even restarted server.

    What exactly the format I should use for the cipher names?

    Xueshan

  2. #2
    mmorse's Avatar
    mmorse is offline Moderator
    Join Date
    May 2006
    Location
    USA
    Posts
    6,242
    Rep Power
    21

    Default

    Xueshan's issue with this became Bug 30691 - cipher suites configuration ignored fixed in 5.0.10
    Workaround is to change zimbraSSLExcludeCipherSuites to zimbraSSLExcludeCipherSuitesXML in jetty.xml.in
    Marking thread solved.

  3. #3
    GCamp is offline Active Member
    Join Date
    Jul 2008
    Location
    New Paris, IN
    Posts
    44
    Rep Power
    6

    Default Same problem but with v6.0.6

    I am having the same problem with a security scanner reporting that our Zimbra server supports a weak SSL cipher.

    The "fix" for shan's problem does not seem to apply to v6.0.6.
    I find the line:

    zimbraSSLExcludeCipherSuites=SSL_DHE_DSS_EXPORT_WI TH_DES40_CBC_SHA SSL_DHE_DSS_WITH_DES_CBC_SHA SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA SSL_DHE_RSA_WITH_DES_CBC_SHA SSL_RSA_EXPORT_WITH_DES40_CBC_SHA

    in the file jetty.properties.in not in jetty.xml.in.

    Is the fix the same but only in a different file?

  4. #4
    shan is offline Active Member
    Join Date
    Feb 2008
    Posts
    26
    Rep Power
    7

    Default

    Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

    Here is my global configuration:
    zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

    It seems you missed these two:

    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_WITH_DES_CBC_SHA

    If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

    zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

    zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

    Then do 'zmmailboxd restart'

    Xueshan

  5. #5
    GCamp is offline Active Member
    Join Date
    Jul 2008
    Location
    New Paris, IN
    Posts
    44
    Rep Power
    6

    Default

    Quote Originally Posted by shan View Post
    Setting zimbraSSLExcludeCipherSuite global configuration should work now, not need for the workaround. jetty.xml.in just uses the variable value to generate run time configurations.

    Here is my global configuration:
    zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

    It seems you missed these two:

    SSL_RSA_EXPORT_WITH_RC4_40_MD5
    SSL_RSA_WITH_DES_CBC_SHA

    If these are the reported in scanner, you should add these in zimbraSSLExcludeCipherSuites (zmprov mcf command in oneline):

    zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA

    zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

    Then do 'zmmailboxd restart'

    Xueshan
    Xueshan,

    Thanks for the quick reply.

    A clarification please. In your list zmprov commands you have:
    zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

    Shouldn't this be:
    zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

    I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

    How do I use zmprov to remove the wrong entry?

    Here is my current zimbraSSLExcludeCipherSuites listing:

    zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

    Is there any potential problems that could be caused by the 5 not being present?

    Greg

  6. #6
    shan is offline Active Member
    Join Date
    Feb 2008
    Posts
    26
    Rep Power
    7

    Default

    Quote Originally Posted by GCamp View Post
    Xueshan,

    Thanks for the quick reply.

    A clarification please. In your list zmprov commands you have:
    zmprov mcf +zimbraSSLExcludeCipherSuitesSSL_RSA_EXPORT_WITH_R C4_40_MD

    Shouldn't this be:
    zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5

    I discovered the needed space between ...Suites and SSL; also I removed the extra space between the R and the C. I did not notice that the 5 was missing at the end of the line. The zmprov entered the line without the 5.

    How do I use zmprov to remove the wrong entry?

    Here is my current zimbraSSLExcludeCipherSuites listing:

    zimbra@zimbra:/root$ zmprov gacf zimbraSSLExcludeCipherSuites
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
    zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA
    zimbraSSLExcludeCipherSuites: SSL_CK_DES_64_CBC_WITH_MD5
    zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_R_C4_40_MD

    Is there any potential problems that could be caused by the 5 not being present?

    Greg

    Greg,

    Sorry about the mistake in my previous reply. I was fiddling with the formatting and cut-pasting in a very small window.

    There there should be a space between key and value, as in all zmprov commands that deal with modification.

    There is no problem with the wrong entry in this case - it's just a none existing SSL suite that you want to exclude, the net result is no harm, but you can remove it by adding minus sign '-' in the attribute that you want to remove:

    zmprov mcf -zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_R_C4_40_MD

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. [SOLVED] Firefox 3 + Zimbra 5 - TLS Interop issue
    By irvingpop in forum Administrators
    Replies: 21
    Last Post: 07-22-2008, 10:53 PM
  2. Zimbra spam system
    By rajahd in forum Administrators
    Replies: 9
    Last Post: 04-16-2008, 07:25 PM
  3. Replies: 12
    Last Post: 02-25-2008, 07:28 PM
  4. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 08:55 AM
  5. svn version still won't start
    By kinaole in forum Developers
    Replies: 0
    Last Post: 10-04-2006, 06:47 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •