Ajcody-Ciphers-Outlook

Revision as of 15:18, 15 January 2015 by Ajcody (talk | contribs) (Created page with "zmcontrol -v ; zmprov gcf zimbraReverseProxySSLCiphers ; zmprov gcf zimbraReverseProxySSLProtocols ; zmprov gcf zimbraSSLExcludeCipherSuites ###############################...")

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

zmcontrol -v ; zmprov gcf zimbraReverseProxySSLCiphers ; zmprov gcf zimbraReverseProxySSLProtocols ; zmprov gcf zimbraSSLExcludeCipherSuites


 NEW TEST - Clean Install

New 8.6.0 install [all packages, single install]

[-Ajc: The zimbraReverseProxySSLCiphers listing below if the zimbra default value for 8.6. Further down we'll modify that so 3DES is included, which is necessary for MS Outlook 2011 to work configured for SSL with EWS, POP, IMAP]

[-Ajc: cipherscan is available at https://github.com/jvehent/cipherscan ]

[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2

[zimbra@ldap1 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ......................... Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits 3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits 5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits 8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits 12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 13 AES128-GCM-SHA256 TLSv1.2 14 AES256-GCM-SHA384 TLSv1.2 15 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 16 AES128-SHA256 TLSv1.2 17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 18 AES256-SHA256 TLSv1.2 19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 20 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 21 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 22 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2


[-Ajc: Removing the !3DES item]

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!MD5:\!PSK

[-Ajc: Note, requiresRestart states nginxproxy . NOTE - cipherscan will shows the 'changes' wihtout a restart. ]

[zimbra@ldap2 ~]$ zmprov desc -a zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers

   permitted ciphers for reverse proxy. Ciphers are in the formats
   supported by OpenSSL e.g.
   ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; if not set,
   default ciphers permitted by nginx will apply
              type : string
             value :
          callback :
         immutable : false
       cardinality : single
        requiredIn :
        optionalIn : globalConfig
             flags :
          defaults : ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
               min :
               max :
                id : 640
   requiresRestart : nginxproxy
             since : 5.0.5
   deprecatedSince :


[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ............................ Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits 2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits 3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits 5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits 6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits 8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits 12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 13 AES128-GCM-SHA256 TLSv1.2 14 AES256-GCM-SHA384 TLSv1.2 15 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 16 AES128-SHA256 TLSv1.2 17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 18 AES256-SHA256 TLSv1.2 19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 20 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 21 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 22 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 25 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 26 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 27 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: 300 OCSP stapling: not supported Server side cipher ordering

[-Ajc: And we now have three additional lines:]

25 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits 26 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 27 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2


 NEW TEST - Clean Install

New 7.2.7 install [all packages, single install]  !!! Note I manually also set zimbraReverseProxySSLCiphers on this test !!!!!

[zimbra@ldap2 ~]$ zmcontrol -v Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH

!!! Again, note I set this variable above manually to the default !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

7.2.7 upgrade to 8.5.1

[zimbra@ldap2 ~]$ zmcontrol -v Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

!!! Again, note I set this variable manually when it was 7.2.7 !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

8.5.1 upgrade to 8.6.0

[zimbra@ldap2 ~]$ zmcontrol -v Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

!!! Again, note I set this variable manually when it was 7.2.7 !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH:3DES

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH:3DES


/tmp/cipherscan/cipherscan-master


[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ................ Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 7 AES128-GCM-SHA256 TLSv1.2 8 AES128-SHA256 TLSv1.2 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH [zimbra@ldap2 ~]$ zmcontrol restart

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ................ Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 7 AES128-GCM-SHA256 TLSv1.2 8 AES128-SHA256 TLSv1.2 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!3DES:\!MD5:\!PSK [zimbra@ldap2 ~]$ zmcontrol restart


[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ................ Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 7 AES128-GCM-SHA256 TLSv1.2 8 AES128-SHA256 TLSv1.2 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering

[root@ldap2 cipherscan-master]# host ldap2.zimbra.homeunix.com ldap2.zimbra.homeunix.com has address 192.168.1.172 ldap2.zimbra.homeunix.com mail is handled by 10 ldap2.zimbra.homeunix.com.

[root@ldap2 cipherscan-master]# hostname ldap2

[root@ldap2 cipherscan-master]# su - zimbra

z[zimbra@ldap2 ~]$ zmhostname ldap2.zimbra.homeunix.com

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ALL

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ALL

[zimbra@ldap2 ~]$ logout [root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com ................ Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pfs_keysize 1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits 2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits 3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits 5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits 6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 7 AES128-GCM-SHA256 TLSv1.2 8 AES128-SHA256 TLSv1.2 9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits 14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits 15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature TLS ticket lifetime hint: None OCSP stapling: not supported Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http zimbraReverseProxyHttpEnabled: FALSE zimbraReverseProxyMailMode: http [zimbra@ldap2 ~]$ /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname`

[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http zimbraReverseProxyHttpEnabled: TRUE [zimbra@ldap2 ~]$

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com .................................................... Target: ldap2.zimbra.homeunix.com:443

prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize 1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 2 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 5 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 8 AECDH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits 9 ADH-AES256-GCM-SHA384 TLSv1.2 0 None True 300 False DH,1024bits 10 ADH-AES256-SHA256 TLSv1.2 0 None True 300 False DH,1024bits 11 ADH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 12 ADH-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 13 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False 14 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False 15 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 16 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 17 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 19 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 20 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 21 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 22 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 23 DHE-RSA-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 24 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 25 AECDH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits 26 ADH-AES128-GCM-SHA256 TLSv1.2 0 None True 300 False DH,1024bits 27 ADH-AES128-SHA256 TLSv1.2 0 None True 300 False DH,1024bits 28 ADH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 29 ADH-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 30 ADH-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 31 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False 32 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False 33 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 34 SEED-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 35 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 36 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 37 AECDH-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits 38 ADH-RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 39 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 40 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 41 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits 42 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 43 AECDH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits 44 ADH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 45 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 46 EDH-RSA-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits 47 ADH-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits 48 DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False 49 EXP-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits 50 EXP-RC2-CBC-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits 51 EXP-RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits

OCSP stapling: not supported Server side cipher ordering


 NEW TEST - Clean Install


New CLEAN 8.0.4 install [all packages, single install]

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

* Is empty value expected or is this because it's single all package install just using defaults?

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

8.0.4 upgrade to 8.5.1

[zimbra@ldap2 ~]$ zmcontrol -v Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA


8.5.1 upgrade to 8.6.0

[zimbra@ldap2 ~]$ zmcontrol -v zmcontrol -v ; Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.

zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2

zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

 NEW TEST - Clean Install

New 7.2.7 install [all packages, single install]

[zimbra@ldap2 ~]$ zmcontrol -v Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

 NEW TEST - Clean Install

New CLEAN 8.0.4 install [all packages, single install]

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

* Is empty value expected or is this because it's single all package install just using defaults?

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

 NEW TEST - Clean Install

New 8.5.1 install [all packages, single install]

[zimbra@ldap2 ~]$ zmcontrol -v Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

Jump to: navigation, search