We ran a standard Nessus scan on our Zimbra 5.0.9 NE installation, and it returned the following:

Here is the list of weak SSL ciphers supported by the remote server :

Low Strength Ciphers (< 56-bit key)
SSLv3
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export
TLSv1
EXP-EDH-RSA-DES-CBC-SHA Kx=DH(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-DES-CBC-SHA Kx=RSA(512) Au=RSA Enc=DES(40) Mac=SHA1 export
EXP-RC4-MD5 Kx=RSA(512) Au=RSA Enc=RC4(40) Mac=MD5 export

Solution:

Reconfigure the affected application if possible to avoid use of weak
ciphers.


The issue still appears even when zimbraReverseProxySSLCiphers is set to HIGH:MEDIUM:!ADH:!SSLv2. Our hope was 5.0.9 would resolve the issue.

Is zimbraSSLExcludeCipherSuites the proper zmprov attribute/key to modify, and if so, what is the proper value to set this to? Or is there a bug filed for this issue?

Thanks for your assistance.