The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
zmcontrol -v ; zmprov gcf zimbraReverseProxySSLCiphers ; zmprov gcf zimbraReverseProxySSLProtocols ; zmprov gcf zimbraSSLExcludeCipherSuites
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New 8.6.0 install [all packages, single install]
############################
[-Ajc: The zimbraReverseProxySSLCiphers listing below if the zimbra default value for 8.6. Further down we'll modify that so 3DES is included, which is necessary for MS Outlook 2011 to work configured for SSL with EWS, POP, IMAP]
[-Ajc: cipherscan is available at https://github.com/jvehent/cipherscan ]
[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
[zimbra@ldap1 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
.........................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits
12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
13 AES128-GCM-SHA256 TLSv1.2
14 AES256-GCM-SHA384 TLSv1.2
15 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
16 AES128-SHA256 TLSv1.2
17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
18 AES256-SHA256 TLSv1.2
19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
20 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
21 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
22 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
[-Ajc: Removing the !3DES item]
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!MD5:\!PSK
[-Ajc: Note, requiresRestart states nginxproxy . NOTE - cipherscan will shows the 'changes' wihtout a restart. ]
[zimbra@ldap2 ~]$ zmprov desc -a zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers
permitted ciphers for reverse proxy. Ciphers are in the formats
supported by OpenSSL e.g.
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; if not set,
default ciphers permitted by nginx will apply
type : string
value :
callback :
immutable : false
cardinality : single
requiredIn :
optionalIn : globalConfig
flags :
defaults : ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
min :
max :
id : 640
requiresRestart : nginxproxy
since : 5.0.5
deprecatedSince :
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
............................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,P-256,256bits
2 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 ECDH,P-256,256bits
3 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 DH,1024bits
5 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,P-256,256bits
6 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
7 ECDHE-RSA-AES256-SHA384 TLSv1.2 ECDH,P-256,256bits
8 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
9 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
10 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
11 DHE-RSA-AES256-SHA256 TLSv1.2 DH,1024bits
12 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
13 AES128-GCM-SHA256 TLSv1.2
14 AES256-GCM-SHA384 TLSv1.2
15 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
16 AES128-SHA256 TLSv1.2
17 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
18 AES256-SHA256 TLSv1.2
19 AES256-SHA TLSv1,TLSv1.1,TLSv1.2
20 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
21 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
22 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2
23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
24 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2
25 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
26 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
27 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering
[-Ajc: And we now have three additional lines:]
25 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,P-256,256bits
26 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
27 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
[-Ajc: Now to test and show various other zimbraReverseProxySSLCiphers setting customers might have based upon various upgrade situations. If one never manually modified zimbraReverseProxySSLCiphers, then the upgrade installer script would be making the changes to our default. But, if you ever manually set zimbraReverseProxySSLCiphers - then our installer would not overwrite/change it to the 'new' zimbra default.]
[-Ajc: this example comes from a 7.2.7 default install.]
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmproxyctl restart
Stopping nginx...done.
Starting nginx...done.
[zimbra@ldap2 ~]$ logout
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeuni^C
[root@ldap2 cipherscan-master]# ./cipherscan 11.12.13.14:8443
.^C
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
......................................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
5 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
8 AECDH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
9 ADH-AES256-GCM-SHA384 TLSv1.2 0 None True 300 False DH,1024bits
10 ADH-AES256-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
11 ADH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
12 ADH-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
13 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
14 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
15 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
16 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
17 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
19 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
20 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
21 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
22 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
24 AECDH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
25 ADH-AES128-GCM-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
26 ADH-AES128-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
27 ADH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
28 ADH-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
29 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
30 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
31 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
32 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
33 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
34 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
35 AECDH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
36 ADH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
37 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
OCSP stapling: not supported
Server side cipher ordering
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmproxyctl restart
Stopping nginx...done.
Starting nginx...done.
[zimbra@ldap2 ~]$ logout
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
......................................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
5 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
8 AECDH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
9 ADH-AES256-GCM-SHA384 TLSv1.2 0 None True 300 False DH,1024bits
10 ADH-AES256-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
11 ADH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
12 ADH-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
13 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
14 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
15 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
16 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
17 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
19 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
20 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
21 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
22 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
23 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
24 AECDH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
25 ADH-AES128-GCM-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
26 ADH-AES128-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
27 ADH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
28 ADH-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
29 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
30 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
31 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
32 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
33 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
34 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
35 AECDH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
36 ADH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
37 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
OCSP stapling: not supported
Server side cipher ordering
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New 7.2.7 install [all packages, single install] !!! Note I manually also set zimbraReverseProxySSLCiphers on this test !!!!!
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
!!! Again, note I set this variable above manually to the default !!!
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
############################
7.2.7 upgrade to 8.5.1
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
!!! Again, note I set this variable manually when it was 7.2.7 !!!
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
############################
8.5.1 upgrade to 8.6.0
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
!!! Again, note I set this variable manually when it was 7.2.7 !!!
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH:3DES
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH:3DES
/tmp/cipherscan/cipherscan-master
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
7 AES128-GCM-SHA256 TLSv1.2
8 AES128-SHA256 TLSv1.2
9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmcontrol restart
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
7 AES128-GCM-SHA256 TLSv1.2
8 AES128-SHA256 TLSv1.2
9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!3DES:\!MD5:\!PSK
[zimbra@ldap2 ~]$ zmcontrol restart
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
7 AES128-GCM-SHA256 TLSv1.2
8 AES128-SHA256 TLSv1.2
9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering
[root@ldap2 cipherscan-master]# host ldap2.zimbra.homeunix.com
ldap2.zimbra.homeunix.com has address 192.168.1.172
ldap2.zimbra.homeunix.com mail is handled by 10 ldap2.zimbra.homeunix.com.
[root@ldap2 cipherscan-master]# hostname
ldap2
[root@ldap2 cipherscan-master]# su - zimbra
z[zimbra@ldap2 ~]$ zmhostname
ldap2.zimbra.homeunix.com
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ALL
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ALL
[zimbra@ldap2 ~]$ logout
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pfs_keysize
1 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 ECDH,B-571,570bits
2 ECDHE-RSA-AES128-SHA256 TLSv1.2 ECDH,B-571,570bits
3 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
4 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 DH,1024bits
5 DHE-RSA-AES128-SHA256 TLSv1.2 DH,1024bits
6 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
7 AES128-GCM-SHA256 TLSv1.2
8 AES128-SHA256 TLSv1.2
9 AES128-SHA TLSv1,TLSv1.1,TLSv1.2
10 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
11 RC4-SHA TLSv1,TLSv1.1,TLSv1.2
12 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2
13 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 ECDH,B-571,570bits
14 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 DH,1024bits
15 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2
Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering
[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyMailMode: http
[zimbra@ldap2 ~]$ /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname`
[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http
zimbraReverseProxyHttpEnabled: TRUE
[zimbra@ldap2 ~]$
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeunix.com
....................................................
Target: ldap2.zimbra.homeunix.com:443
prio ciphersuite protocols pubkey_size signature_algorithm trusted ticket_hint ocsp_staple pfs_keysize
1 ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
2 ECDHE-RSA-AES256-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
3 ECDHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
4 DHE-RSA-AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
5 DHE-RSA-AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
6 DHE-RSA-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
7 DHE-RSA-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
8 AECDH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
9 ADH-AES256-GCM-SHA384 TLSv1.2 0 None True 300 False DH,1024bits
10 ADH-AES256-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
11 ADH-AES256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
12 ADH-CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
13 AES256-GCM-SHA384 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
14 AES256-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
15 AES256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
16 CAMELLIA256-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
17 ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
18 ECDHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
19 ECDHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
20 DHE-RSA-AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
21 DHE-RSA-AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
22 DHE-RSA-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
23 DHE-RSA-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
24 DHE-RSA-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
25 AECDH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
26 ADH-AES128-GCM-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
27 ADH-AES128-SHA256 TLSv1.2 0 None True 300 False DH,1024bits
28 ADH-AES128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
29 ADH-SEED-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
30 ADH-CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
31 AES128-GCM-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
32 AES128-SHA256 TLSv1.2 2048 sha256WithRSAEncryption False 300 False
33 AES128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
34 SEED-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
35 CAMELLIA128-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
36 ECDHE-RSA-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
37 AECDH-RC4-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
38 ADH-RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
39 RC4-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
40 RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
41 ECDHE-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False ECDH,P-256,256bits
42 EDH-RSA-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
43 AECDH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False ECDH,P-256,256bits
44 ADH-DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
45 DES-CBC3-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
46 EDH-RSA-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False DH,1024bits
47 ADH-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 0 None True 300 False DH,1024bits
48 DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False 300 False
49 EXP-DES-CBC-SHA TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits
50 EXP-RC2-CBC-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits
51 EXP-RC4-MD5 TLSv1,TLSv1.1,TLSv1.2 2048 sha256WithRSAEncryption False None False RSA,512bits
OCSP stapling: not supported
Server side cipher ordering
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New CLEAN 8.0.4 install [all packages, single install]
############################
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
* Is empty value expected or is this because it's single all package install just using defaults?
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
############################
8.0.4 upgrade to 8.5.1
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
############################
8.5.1 upgrade to 8.6.0
############################
[zimbra@ldap2 ~]$ zmcontrol -v
zmcontrol -v ;
Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.
zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New 7.2.7 install [all packages, single install]
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New CLEAN 8.0.4 install [all packages, single install]
############################
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
* Is empty value expected or is this because it's single all package install just using defaults?
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA
##################################################################
NEW TEST - Clean Install
##################################################################
############################
New 8.5.1 install [all packages, single install]
############################
[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zmprov gcf zimbraReverseProxySSLProtocols
[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA