ShanxT-Removing-Insecure-SSL-Ciphers
ShanxT - Removing Insecure SSL Ciphers
Introduction
During a security scan you may get a list of insecure/non-compliant ciphers. The most common one is the BEAST vulnerability. Disabling certain cipher-suites sorts this out. Zimbra uses OpenSSL, so we just have to obtain the cipher name with the OpenSSL equivalent of it, and then disable it accordingly.
We use the attribute 'zimbraSSLExcludeCipherSuites' for this.
Getting the attribute for the respective cipher suite
Here is a mapping of the cipher name, and the OpenSSL equivalents: http://www.openssl.org/docs/apps/ciphers.html#CIPHER_SUITE_NAMES or can check with https://wiki.openssl.org/index.php/Manual:Ciphers(1)#CIPHER_SUITE_NAMES
So for example, if the security scan shows 'AES256-SHA' has to be disabled, on scrolling down the list, (or doing a quick ctrl+f for AES256-SHA), this line comes up:
TLS_RSA_WITH_AES_256_CBC_SHA AES256-SHA
This is how we can obtain the relevant argument for '+zimbraSSLExcludeCipherSuites'.
The actual command to disable it would be:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA
And then we restart mailbox, with:
zmmailboxdctl restart
Please note the '+' sign in front of 'zimbraSSLExcludeCipherSuites. That adds to the list of cipher suites to be excluded. Not including the '+' sign is dangerous, as it causes the list to be overwritten, and thus only the last cipher suite is included in the list.
Testing if it is enabled or disabled:
You can perform a quick test to see if a cipher suite is supported, by running the following on the Zimbra server:
openssl s_time -connect localhost:443 -new -cipher AES256-SHA
Note that the argument for '-cipher' is the original cipher suite name, and not the OpenSSL equivalent. If the cipher is enabled, the output would be similar to:
$ openssl s_time -connect localhost:443 -new -cipher AES256-SHA Collecting connection statistics for 30 seconds ******************************************************************************
And the asterisks would continue for 30 seconds. In some cases it would be a random letter instead of an asterisk, but the bottom line being that the connection is successful.
If the cipher is disabled, you'll just get an error on connection:
$ openssl s_time -connect localhost:443 -new -cipher AES256-SHA Collecting connection statistics for 30 seconds ERROR
Disabling all known ones at once
Now, since mailbox needs to be restarted, you will need to do it during a downtime. The problem here is that as there can be multiple ciphers that fail the scan, the process you would have to follow is: Do security scan -> find name of cipher -> disable cipher -> do scan again, and so on and so forth.
So to make it a little easier, this is a list of cipher suites that clients have disabled to pass their tests. This includes the BEAST vulnerability.
Note: This disables most block ciphers, because those were the ones affected by BEAST. Disabling some of these may break some services[1].
zmprov gacf zimbraSSLExcludeCipherSuites zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA zimbraSSLExcludeCipherSuites: DHE-RSA-AES256-SHA zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 zimbraSSLExcludeCipherSuites: DHE-RSA-AES256-SHA256 zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites: SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_RSA_WITH_3DES_EDE_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA zimbraSSLExcludeCipherSuites: SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_128_CBC_SHA256 zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 zimbraSSLExcludeCipherSuites: TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA zimbraSSLExcludeCipherSuites: TLS_RSA_WITH_AES_256_CBC_SHA256
To run all the above in a single command, run the following:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \ +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \ +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \ +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \ +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \ +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \ +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \ +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \ +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \ +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
After it runs, restart mailbox.
Bug 80133
We have also disabled a lot of insecure ciphers by default in 8.0.4. Please read the release notes of 8.0.4, and see the bug here: https://bugzilla.zimbra.com/show_bug.cgi?id=80133