Update Zimbra TLS cipher suites to disable Diffie-Hellmann

In a previous blog and wiki we have shown how to configure Zimbra with a strong TLS configuration. Since encryption is always evolving we have updated the previous blog and wiki to disable Diffie-Hellman.

If you have applied the steps from the Cipher Suites wiki before, you can run the following commands as user zimbra to apply the recent changes.

zmprov -l mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
zmproxyctl restart

postconf -e tls_medium_cipherlist='!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
postconf -e tls_preempt_cipherlist=no
zmmtactl restart

With this change we have added !DH:!EDH:!ADH: that will explicitly disable Diffie-Hellman. In some cases with some certificate providers Diffie-Hellman will already be disabled regardless of the configured cipher list. It does not hurt to configure it, but you can check your current TLS security by running a website test at internet.nl.

, ,

4 Responses to Update Zimbra TLS cipher suites to disable Diffie-Hellmann

  1. Dave December 28, 2022 at 7:48 PM #

    The first postconf line doesn’t work because the shell eats the !’s. You either need to quote it with single quotes intead of double, or put a \ in front of each !

    • Barry de Graaff January 4, 2023 at 12:14 AM #

      Thanks, for catching this typo, I updated the blog!

  2. Peter December 29, 2022 at 8:25 AM #

    Why should I explicitly disable DH but not MD5, DES, RC4, CBC, etc?

    • Barry de Graaff January 4, 2023 at 12:09 AM #

      MD5, DES, RC4, CBC, etc should be disabled when you configure Zimbra with the steps in the wiki/blog. You can validate your installation using the scanner at internet.nl.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures