Setting up Zimbra for strong ciphers only

Tonight i was working on getting a client’s Zimbra SSL configuration up to scratch, and found it somewhat difficult to get our server to make Qualys’ SSL Labs scanner happy.  I was working from the following Zimbra wiki pages:

It seems that as of Zimbra 8 (possibly before that?) there is no longer any need to configure jetty – everything seems to go through nginx as an SSL reverse proxy.I tried several different combinations and still kept getting insecure ciphers in the Qualys scan results until i stumbled across this nginx forum post and these certificate installation instructions.  Between them i managed to glean that:

So the commands i ended up with for Zimbra were:zmprov modifyConfig zimbraReverseProxySSLCiphers '!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:RC4:HIGH'zmmailboxdctl restartThis was enough to get us an “A” rating in Qualys’ eyes.


Bizarre error message with Novell Certificate Server

It must be the week for stupid error messages.  I just tried to create a private SSL certificate for one of our server VMs from our Novell eDirectory iManager server.  The CSR was created by OpenSSL on the command line on the Ubuntu server, and i copied it to my laptop with the filename “req”.  When i tried to issue the certificate through iManager > Novell Certificate Server > Issue Certificate, it gave me the singularly unenlightening error:

Exception occurred processing WizardPage_CreateCert_Key.jsp

Google searches for this exact string resulted in zero hits.  The error log on the iManager server (/var/opt/novell/tomcat5/logs/catalina.out) showed a similar error:

WizardPage_005fCre.1594 java.lang.StringIndexOutOfBoundsException

After playing around with a few different certificate parameters and trying again, i decided to try something stupid: i added the filename extension “.csr”.  Unbelievably, this worked, and i was able to create and download the certificate without problems.  It seems that the iManager code makes some assumptions about the content based on the filename.

I’m glad i solved my problem, but i do have to wonder whether there are any vulnerabilities (at least of the denial-of-service persuasion) which might be possible due to these sort of assumptions.