Difference between revisions of "Weak Cipher Suites Appear in Security Scans"

(Redirected page to Category:Security)
 
(2 intermediate revisions by one other user not shown)
Line 1: Line 1:
 +
#REDIRECT [[Category:Security]]
 +
 
'''Weak Ciphers Appear in Vulnerability Scans'''
 
'''Weak Ciphers Appear in Vulnerability Scans'''
  
Line 27: Line 29:
 
'''Postfix Ciphers'''
 
'''Postfix Ciphers'''
  
Another source of weak ciphers in a scan is Postfix on Port 25. Please see here for info on disabling weak ciphers for Postfix:
+
Another source for weak ciphers in a scan is Postfix on Port 25. Please see here for info on disabling weak ciphers for Postfix:
  
 
[[Postfix PCI Compliance in ZCS]]
 
[[Postfix PCI Compliance in ZCS]]
Line 34: Line 36:
  
 
'''Nginx Ciphers'''
 
'''Nginx Ciphers'''
If you are using a Proxy you should also check the SSL ciphers used there as well:
+
If you are using a Proxy you should check the SSL ciphers used there as well:
 
  zmprov gacf zimbraReverseProxySSLCiphers  
 
  zmprov gacf zimbraReverseProxySSLCiphers  
  
This command should remove the weak ciphers we have seen in recent security scans, although more may appear in the future
+
This command should remove the weak ciphers we have seen in recent security scans, although more may appear in the future. Please note the syntax and the format for the cipher list. You may add additional cipher suites to this list as needed. Make sure to use "\" to escape the "!" character so that the shell is not confused by it.
  
 
  zmprov mcf zimbraReverseProxySSLCiphers \!DHE-RSA-AES256-SHA:\!ADH:\!SSLv2:\!MD5:HIGH
 
  zmprov mcf zimbraReverseProxySSLCiphers \!DHE-RSA-AES256-SHA:\!ADH:\!SSLv2:\!MD5:HIGH

Latest revision as of 11:41, 30 March 2015

Redirect to:

Weak Ciphers Appear in Vulnerability Scans


Security Vulnerability scanning software may generate a list of cipher suites you would like to deactivate. The command:

zmprov mcf +zimbraSSLExcludeCipherSuites <cipher_suite_name>

may be used to exclude these weak ciphers. However, the names of the ciphers listed in the vulnerability scan may be in OpenSSL format, and not match the name for the cipher suite that Zimbra's Jetty server uses.

See here for a list of cipher suites used by Zimbra's Java JSSE implementation:

Cipher Suites for Java 6


The following link maps the SSL or TLS cipher suite names from the relevant specification to their OpenSSL equivalents:

Cipher Suite Names Conversion

Be sure to use the SSL or TLS specification names from the above Java documentation when invoking the zimbraSSLExcludeCipherSuites parameter.

For example: zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5

would be used if you are given the OpenSSL format "EXP-RC2-CBC-MD5" by the scanning software.


Postfix Ciphers

Another source for weak ciphers in a scan is Postfix on Port 25. Please see here for info on disabling weak ciphers for Postfix:

Postfix PCI Compliance in ZCS


Nginx Ciphers If you are using a Proxy you should check the SSL ciphers used there as well:

zmprov gacf zimbraReverseProxySSLCiphers 

This command should remove the weak ciphers we have seen in recent security scans, although more may appear in the future. Please note the syntax and the format for the cipher list. You may add additional cipher suites to this list as needed. Make sure to use "\" to escape the "!" character so that the shell is not confused by it.

zmprov mcf zimbraReverseProxySSLCiphers \!DHE-RSA-AES256-SHA:\!ADH:\!SSLv2:\!MD5:HIGH
Jump to: navigation, search