Ajcody-Ciphers-Outlook

See Ajcody-Ciphers-Outlook-Troubleshooting also.

[-Ajc: First note, zimbraReverseProxySSLCiphers , is relevant only if your running the zimbra proxy services 
and you have http proxy configured. This would also be true if your using Outlook for IMAP/POP connections 
over the proxy.]

For example, on server with proxy services running :

[zimbra@ldap2 ~]$ zmprov gs `zmhostname` zimbraReverseProxyHttpEnabled
# name ldap2.zimbra.DOMAIN.com
zimbraReverseProxyHttpEnabled: TRUE

[-Ajc: Second note, when modifying zimbraReverseProxySSLCiphers and your variables will include the ! sign - you'll 
need to add a \ infront of the ! to get zmprov to accept it.

For example, the correct syntax is :

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers '!SSLv2:!MD5:HIGH'
or
[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH

vs the follow INCORRECT format:

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers !SSLv2:!MD5:HIGH


##################################################################
  NEW TEST - Clean Install
##################################################################

############################
New 8.6.0 install [all packages, single install]
############################

[-Ajc: The zimbraReverseProxySSLCiphers listing below if the zimbra default value for 8.6. Further down we'll 
modify that so 3DES is included, which is necessary for MS Outlook 2011 to work configured for SSL with EWS, POP, IMAP]

[-Ajc: cipherscan is available at https://github.com/jvehent/cipherscan ]

[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap1 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2

[zimbra@ldap1 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
.........................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
13    AES128-GCM-SHA256            TLSv1.2
14    AES256-GCM-SHA384            TLSv1.2
15    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
16    AES128-SHA256                TLSv1.2
17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2
20    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
21    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
22    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2
23    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2


[-Ajc: Removing the !3DES item]

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!MD5:\!PSK

[-Ajc: Note, requiresRestart states nginxproxy . NOTE - cipherscan will shows the 'changes' wihtout a restart. ]

[zimbra@ldap2 ~]$ zmprov desc -a zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers
    permitted ciphers for reverse proxy. Ciphers are in the formats
    supported by OpenSSL e.g.
    ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP; if not set,
    default ciphers permitted by nginx will apply

               type : string
              value :
           callback :
          immutable : false
        cardinality : single
         requiredIn :
         optionalIn : globalConfig
              flags :
           defaults : ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK
                min :
                max :
                 id : 640
    requiresRestart : nginxproxy
              since : 5.0.5
    deprecatedSince :

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
............................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
13    AES128-GCM-SHA256            TLSv1.2
14    AES256-GCM-SHA384            TLSv1.2
15    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
16    AES128-SHA256                TLSv1.2
17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2
20    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
21    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
22    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2
23    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2
25    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
26    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
27    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering

[-Ajc: And we now have three additional lines:]

25    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
26    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
27    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2


[-Ajc: Now to test and show various other zimbraReverseProxySSLCiphers setting customers might 
have based upon various upgrade situations. If one never manually modified zimbraReverseProxySSLCiphers, 
then the upgrade installer script would be making the changes to our default. But, if you ever 
manually set zimbraReverseProxySSLCiphers - then our installer would not overwrite/change it 
to the 'new' zimbra default.]


[-Ajc: this example comes from a 7.2.7 default install.]

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmproxyctl restart
Stopping nginx...done.
Starting nginx...done.
[zimbra@ldap2 ~]$ logout
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.homeuni^C
[root@ldap2 cipherscan-master]# ./cipherscan 11.12.13.14:8443
.^C
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
......................................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
5     DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
8     AECDH-AES256-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
9     ADH-AES256-GCM-SHA384        TLSv1.2                0            None                     True     300          False        DH,1024bits
10    ADH-AES256-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
11    ADH-AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
12    ADH-CAMELLIA256-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
13    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
14    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
15    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
16    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
17    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
18    ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
19    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
20    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
21    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
22    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
23    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
24    AECDH-AES128-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
25    ADH-AES128-GCM-SHA256        TLSv1.2                0            None                     True     300          False        DH,1024bits
26    ADH-AES128-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
27    ADH-AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
28    ADH-CAMELLIA128-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
29    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
30    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
31    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
32    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
33    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
34    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
35    AECDH-DES-CBC3-SHA           TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
36    ADH-DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
37    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False

OCSP stapling: not supported
Server side cipher ordering

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH
[zimbra@ldap2 ~]$ zmproxyctl restart
Stopping nginx...done.
Starting nginx...done.
[zimbra@ldap2 ~]$ logout

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
......................................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
5     DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
8     AECDH-AES256-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
9     ADH-AES256-GCM-SHA384        TLSv1.2                0            None                     True     300          False        DH,1024bits
10    ADH-AES256-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
11    ADH-AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
12    ADH-CAMELLIA256-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
13    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
14    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
15    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
16    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
17    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
18    ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
19    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
20    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
21    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
22    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
23    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
24    AECDH-AES128-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
25    ADH-AES128-GCM-SHA256        TLSv1.2                0            None                     True     300          False        DH,1024bits
26    ADH-AES128-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
27    ADH-AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
28    ADH-CAMELLIA128-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
29    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
30    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
31    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
32    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
33    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
34    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
35    AECDH-DES-CBC3-SHA           TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
36    ADH-DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
37    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False

OCSP stapling: not supported
Server side cipher ordering



##################################################################
  NEW TEST - Clean Install
##################################################################

############################
New 7.2.7 install [all packages, single install]  !!! Note I manually also set zimbraReverseProxySSLCiphers on this test !!!!!
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH

!!! Again, note I set this variable above manually to the default !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

############################
7.2.7 upgrade to 8.5.1
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

!!! Again, note I set this variable manually when it was 7.2.7 !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

############################
8.5.1 upgrade to 8.6.0
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

!!! Again, note I set this variable manually when it was 7.2.7 !!!

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH:3DES

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH:3DES


/tmp/cipherscan/cipherscan-master


[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
10    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
12    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2
13    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
14    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
15    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers \!SSLv2:\!MD5:HIGH
[zimbra@ldap2 ~]$ zmcontrol restart

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
10    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
12    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2
13    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
14    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
15    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:\!aNULL:\!eNULL:\!EXPORT:\!DES:\!3DES:\!MD5:\!PSK
[zimbra@ldap2 ~]$ zmcontrol restart


[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
10    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
12    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2
13    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
14    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
15    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering

[root@ldap2 cipherscan-master]# host ldap2.zimbra.DOMAIN.com
ldap2.zimbra.DOMAIN.com has address 192.168.1.172
ldap2.zimbra.DOMAIN.com mail is handled by 10 ldap2.zimbra.DOMAIN.com.

[root@ldap2 cipherscan-master]# hostname
ldap2

[root@ldap2 cipherscan-master]# su - zimbra

z[zimbra@ldap2 ~]$ zmhostname
ldap2.zimbra.DOMAIN.com

[zimbra@ldap2 ~]$ zmprov mcf zimbraReverseProxySSLCiphers ALL

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ALL

[zimbra@ldap2 ~]$ logout
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
10    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
12    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2
13    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
14    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
15    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering

[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyMailMode: http
[zimbra@ldap2 ~]$ /opt/zimbra/libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x both -H `zmhostname`

[zimbra@ldap2 ~]$ zmprov gs `zmhostname` | grep -i proxy | grep -i http
zimbraReverseProxyHttpEnabled: TRUE
[zimbra@ldap2 ~]$

[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
....................................................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pubkey_size  signature_algorithm      trusted  ticket_hint  ocsp_staple  pfs_keysize
1     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
2     ECDHE-RSA-AES256-SHA384      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
3     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
5     DHE-RSA-AES256-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
6     DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
7     DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
8     AECDH-AES256-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
9     ADH-AES256-GCM-SHA384        TLSv1.2                0            None                     True     300          False        DH,1024bits
10    ADH-AES256-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
11    ADH-AES256-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
12    ADH-CAMELLIA256-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
13    AES256-GCM-SHA384            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
14    AES256-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
15    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
16    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
17    ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
18    ECDHE-RSA-AES128-SHA256      TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
19    ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
20    DHE-RSA-AES128-GCM-SHA256    TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
21    DHE-RSA-AES128-SHA256        TLSv1.2                2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
22    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
23    DHE-RSA-SEED-SHA             TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
24    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
25    AECDH-AES128-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
26    ADH-AES128-GCM-SHA256        TLSv1.2                0            None                     True     300          False        DH,1024bits
27    ADH-AES128-SHA256            TLSv1.2                0            None                     True     300          False        DH,1024bits
28    ADH-AES128-SHA               TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
29    ADH-SEED-SHA                 TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
30    ADH-CAMELLIA128-SHA          TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
31    AES128-GCM-SHA256            TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
32    AES128-SHA256                TLSv1.2                2048         sha256WithRSAEncryption  False    300          False
33    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
34    SEED-SHA                     TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
35    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
36    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
37    AECDH-RC4-SHA                TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
38    ADH-RC4-MD5                  TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
39    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
40    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
41    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        ECDH,P-256,256bits
42    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
43    AECDH-DES-CBC3-SHA           TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        ECDH,P-256,256bits
44    ADH-DES-CBC3-SHA             TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
45    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
46    EDH-RSA-DES-CBC-SHA          TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False        DH,1024bits
47    ADH-DES-CBC-SHA              TLSv1,TLSv1.1,TLSv1.2  0            None                     True     300          False        DH,1024bits
48    DES-CBC-SHA                  TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    300          False
49    EXP-DES-CBC-SHA              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    None         False        RSA,512bits
50    EXP-RC2-CBC-MD5              TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    None         False        RSA,512bits
51    EXP-RC4-MD5                  TLSv1,TLSv1.1,TLSv1.2  2048         sha256WithRSAEncryption  False    None         False        RSA,512bits

OCSP stapling: not supported
Server side cipher ordering


##################################################################
  NEW TEST - Clean Install
##################################################################


############################
New CLEAN 8.0.4 install [all packages, single install]
############################

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
 * Is empty value expected or is this because it's single all package install just using defaults?

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

############################
8.0.4 upgrade to 8.5.1
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA


############################
8.5.1 upgrade to 8.6.0
############################

[zimbra@ldap2 ~]$ zmcontrol -v
zmcontrol -v ; 
Release 8.6.0_GA_1153.RHEL6_64_20141215151258 RHEL6_64 NETWORK edition.

zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2

zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

##################################################################
  NEW TEST - Clean Install
##################################################################

############################
New 7.2.7 install [all packages, single install]
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 7.2.7_GA_2942.RHEL6_64_20140314190059 CentOS6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !SSLv2:!MD5:HIGH

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

##################################################################
  NEW TEST - Clean Install
##################################################################

############################
New CLEAN 8.0.4 install [all packages, single install]
############################

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
 * Is empty value expected or is this because it's single all package install just using defaults?

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA

##################################################################
  NEW TEST - Clean Install
##################################################################

############################
New 8.5.1 install [all packages, single install]
############################

[zimbra@ldap2 ~]$ zmcontrol -v
Release 8.5.1_GA_3056.RHEL6_64_20141103151728 RHEL6_64 NETWORK edition.

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:RC4-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK

[zimbra@ldap2 ~]$ zmprov gcf zimbraReverseProxySSLProtocols
zmprov gcf zimbraReverseProxySSLProtocols

[zimbra@ldap2 ~]$ zmprov gcf zimbraSSLExcludeCipherSuites
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA



Jump to: navigation, search