Ajcody-Ciphers-Outlook-Troubleshooting

Bug:
*  "Mac Outlook 2011 requires 3DES or RC4 ciphers"
** https://bugzilla.zimbra.com/show_bug.cgi?id=97232

References:
* https://www.openssl.org/docs/apps/ciphers.html
** will explain what HIGH and other variables used in zimbraReverseProxySSLCiphers
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#zmtlsctl
** http only mode?
* http://wiki.zimbra.com/wiki/Zimbra_Proxy_Manual:Installing_,_Configuring,_Disabling_the_Zimbra_Proxy#Using_Existing_Servers_2
** proxy isn't enabled for http/mail ?
* Notes from various tests I did, saved for my reference.
** https://wiki.zimbra.com/wiki/Ajcody-Ciphers-Outlook

First, you might want to get cipherscan. It's available at https://github.com/jvehent/cipherscan .
Run this against your server's name, example :

./cipherscan ldap2.zimbra.DOMAIN.com

It will default to port 443 . You can also check it against port 8443 [which is could be the port set on your
mailstores if you setup proxy on it also, which I have done in this example] by doing:

./cipherscan ldap2.zimbra.DOMAIN.com:8443

Also, you could use the following to compare before/after results:

* https://www.ssllabs.com/ssltest/

Second, the assumption is your running with the zcs proxy service is enabled for the various methods 
your attempting with Outlook 2011 [http{mail},pop,imap] and SSL is enabled for each of the access methods.

Let's confirm your account that you'l test with is enabled for ews. 

[zimbra@ldap2 log]$ zmprov ga user1@ldap2.zimbra.DOMAIN.com zimbraFeatureEwsEnabled
[zimbra@ldap2 log]$ zmlicense -p | grep -i ews

Let's also get what your current zimbraReverseProxySSLCiphers is set for before you change it.

[zimbra@ldap2 log]$ zmprov gcf zimbraReverseProxySSLCiphers

Make sure the following isn't excluded:

[zimbra@ldap2 log]$ zmprov gcf zimbraReverseProxySSLCiphers | grep TLS_RSA_WITH_3DES_EDE_CBC_SHA
[zimbra@ldap2 log]$

Depending on what you have set, you'll need to adjust it to deal with the 3DES option. If you 
had manually set zimbraReverseProxySSLCiphers at some point in your ZCS server's history then 
our upgrade process will not change it. Below I include what is also the default for 8.6 and 
how to modify it for 3DES. The first example comes from what you might see if you upgraded 
from ZCS 7 and/or manually set it at some point to the default as it as in ZCS 7.

If you want to see/confirm what is the default value for ZCS 8.6 , you can do the following 
below. !!!Please Note!!! You can't paste into your CLI the variable string if it has ! in it 
if you haven't manually put a \ in front of each ! OR started the variable with a single quote
and then the variable with another single qoute. 
For 8.6, the default will have !3DES , we'll want that to be 3DES - as shown in exampe 2.

[zimbra@ldap2 log]$ zmprov desc -a zimbraReverseProxySSLCiphers

[example 1]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers '!SSLv2:!MD5:HIGH:3DES'
[zimbra@ldap2 log]$ zmproxyctl restart

[Note, I added additional \ below to the command so your cut/paste should be easier and on the wiki
page it wouldn't be one continuous line.]

[example 2]
[zimbra@ldap2 log]$ zmprov mcf zimbraReverseProxySSLCiphers ECDHE-RSA-AES128-GCM-SHA256:\
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:\
DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:\
ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:\
ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:\
DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:\
DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:\
AES128:AES256:RC4-SHA:HIGH:3DES:'!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK'

[zimbra@ldap2 log]$zmproxyctl restart

Once you've restarted the proxy services, you'll want to close down your Outlook session if 
you haven't already and relaunch it. With my testing, I didn't have to reconfigure the account 
in outlook that I had setup that was initially failing because of the cipher issue but I did 
have to relaunch outlook before it would sync after I made the server changes and restarted 
the proxy services. Log files to check are:
 on proxies:  /opt/zimbra/log/nginx.log
 on mailstores: /opt/zimbra/log/ews.log /opt/zimbra/log/access.log

!!! NOTE - If You Aren't Running The ZCS Proxy Or Will Have Outlook Connect Directly To The Mailstore/Jetty !!!
!!! POP/IMAP SSL Setups In Outlook Also Depending On Your Setup !!!

Then you'll need to modify the mailstores like this:

[zimbra@ldap2 log]$ zmprov mcf +zimbraMailboxdSSLProtocols SSLv2Hello
[zimbra@ldap2 log]$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.

Outlook should now be able to connect directly to the mailstores, in my example here using a 
single ZCS server with proxy and the mailstore services running on it, I'm now able to connect 
with Outlook using either port 443 [my proxy] or port 8443 [my mailstore/jetty]. Please note, 
in Outlook you'll need to leave the Use SSL box checked and then check the override if you want 
to test on different ports besides 443.

If things still fail, you'll also want to provide the information below as well with all the 
data/tests from above. Note, I'm including my output from my test box below from these commands. 
My test box was a single 8.6 ZCS server [clean install, no prior ZCS versions upgraded from] 
with all services enabled.

[This command just needs to be shared once with us since it's your global variables]

[zimbra@ldap2 log]$ zmprov gacf | egrep -i 'mailsslp|proxy|ciphers' | egrep -i 'ssl|cipher|enabled:|port:|mode'
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyPort: 0
zimbraMailSSLPort: 0
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 0
zimbraMtaLmtpTlsCiphers: export
zimbraMtaLmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpTlsCiphers: export
zimbraMtaSmtpTlsMandatoryCiphers: medium
zimbraMtaSmtpdTlsCiphers: export
zimbraMtaSmtpdTlsMandatoryCiphers: medium
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyHttpEnabled: FALSE
zimbraReverseProxyHttpSSLPortAttribute: zimbraMailSSLPort
zimbraReverseProxyImapSSLPortAttribute: zimbraImapSSLBindPort
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPop3SSLPortAttribute: zimbraPop3SSLBindPort
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:
  ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:
  DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:
  ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:
  ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:
  DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:
  AES128-GCM-SHA256:AES256-GCM-SHA384:ECDHE-RSA-RC4-SHA:ECDHE-ECDSA-RC4-SHA:AES128:AES256:
  RC4-SHA:HIGH:3DES:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK
zimbraReverseProxySSLECDHCurve: prime256v1
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA


[This command should be ran on each of your proxy and mailstore servers]

[zimbra@ldap2 log]$ zmprov gs `zmhostname` | egrep -i 'mailssl|proxy' | egrep -i 'ssl|cipher|enabled:|port:|mode' | sort
zimbraAdminProxyPort: 9071
zimbraImapProxyBindPort: 143
zimbraImapSSLProxyBindPort: 993
zimbraMailProxyPort: 80
zimbraMailSSLClientCertMode: Disabled
zimbraMailSSLClientCertOCSPEnabled: TRUE
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 8443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 443
zimbraPop3ProxyBindPort: 110
zimbraPop3SSLProxyBindPort: 995
zimbraReverseProxyAdminEnabled: FALSE
zimbraReverseProxyClientCertMode: off
zimbraReverseProxyDnsLookupInServerEnabled: TRUE
zimbraReverseProxyHttpEnabled: TRUE
zimbraReverseProxyImapSaslGssapiEnabled: FALSE
zimbraReverseProxyImapSaslPlainEnabled: TRUE
zimbraReverseProxyImapStartTlsMode: only
zimbraReverseProxyMailEnabled: TRUE
zimbraReverseProxyMailImapEnabled: TRUE
zimbraReverseProxyMailImapsEnabled: TRUE
zimbraReverseProxyMailMode: https
zimbraReverseProxyMailPop3Enabled: TRUE
zimbraReverseProxyMailPop3sEnabled: TRUE
zimbraReverseProxyPop3SaslGssapiEnabled: FALSE
zimbraReverseProxyPop3SaslPlainEnabled: TRUE
zimbraReverseProxyPop3StartTlsMode: only
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLToUpstreamEnabled: TRUE
zimbraServiceEnabled: proxy

Also, here are the results of my cipherscan after I made the changes. I tested both for the default port available through my proxy [443] and also against the 'mailstore/jetty' port that is different since I have the mailstore and proxy services running on the same box.

[root@ldap2 etc]# cd /tmp/cipherscan/cipherscan-master/
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com
............................
Target: ldap2.zimbra.DOMAIN.com:443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,P-256,256bits
2     ECDHE-RSA-AES256-GCM-SHA384  TLSv1.2                ECDH,P-256,256bits
3     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
4     DHE-RSA-AES256-GCM-SHA384    TLSv1.2                DH,1024bits
5     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,P-256,256bits
6     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
7     ECDHE-RSA-AES256-SHA384      TLSv1.2                ECDH,P-256,256bits
8     ECDHE-RSA-AES256-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
9     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
10    DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
11    DHE-RSA-AES256-SHA256        TLSv1.2                DH,1024bits
12    DHE-RSA-AES256-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
13    AES128-GCM-SHA256            TLSv1.2
14    AES256-GCM-SHA384            TLSv1.2
15    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
16    AES128-SHA256                TLSv1.2
17    AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
18    AES256-SHA256                TLSv1.2
19    AES256-SHA                   TLSv1,TLSv1.1,TLSv1.2
20    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
21    DHE-RSA-CAMELLIA256-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
22    CAMELLIA256-SHA              TLSv1,TLSv1.1,TLSv1.2
23    DHE-RSA-CAMELLIA128-SHA      TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
24    CAMELLIA128-SHA              TLSv1,TLSv1.1,TLSv1.2
25    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,P-256,256bits
26    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
27    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: 300
OCSP stapling: not supported
Server side cipher ordering
[root@ldap2 cipherscan-master]# ./cipherscan ldap2.zimbra.DOMAIN.com:8443
................
Target: ldap2.zimbra.DOMAIN.com:8443

prio  ciphersuite                  protocols              pfs_keysize
1     ECDHE-RSA-AES128-GCM-SHA256  TLSv1.2                ECDH,B-571,570bits
2     ECDHE-RSA-AES128-SHA256      TLSv1.2                ECDH,B-571,570bits
3     ECDHE-RSA-AES128-SHA         TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
4     DHE-RSA-AES128-GCM-SHA256    TLSv1.2                DH,1024bits
5     DHE-RSA-AES128-SHA256        TLSv1.2                DH,1024bits
6     DHE-RSA-AES128-SHA           TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
7     AES128-GCM-SHA256            TLSv1.2
8     AES128-SHA256                TLSv1.2
9     AES128-SHA                   TLSv1,TLSv1.1,TLSv1.2
10    ECDHE-RSA-RC4-SHA            TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
11    RC4-SHA                      TLSv1,TLSv1.1,TLSv1.2
12    RC4-MD5                      TLSv1,TLSv1.1,TLSv1.2
13    ECDHE-RSA-DES-CBC3-SHA       TLSv1,TLSv1.1,TLSv1.2  ECDH,B-571,570bits
14    EDH-RSA-DES-CBC3-SHA         TLSv1,TLSv1.1,TLSv1.2  DH,1024bits
15    DES-CBC3-SHA                 TLSv1,TLSv1.1,TLSv1.2

Certificate: UNTRUSTED, 2048 bit, sha256WithRSAEncryption signature
TLS ticket lifetime hint: None
OCSP stapling: not supported
Client side cipher ordering

Jump to: navigation, search