Posted by After patching Zimbra Daffodil to version 10.0.2, 9.0.0 Patch-34 & 8.8.15 Patch-41, some email clients like Outlook experienced access issues. This was due to updates made to the used OpenSSL. Considering that many users are still using older versions of email clients, I have decided to temporarily use weak ciphers. Then gradually upgrade the version of Outlook being used
Warning: Disabling FIPS and enabling weak ciphers is strongly not recommended. Use this workaround as a temporary solution. Please upgrade your email clients as soon as possible.
For this process, I followed the guidelines from the Zimbra forum.
# Method 1: Adding SECLEVEL=0 to zimbraReverseProxySSLCiphers
Get current configuration
zmprov gcf zimbraReverseProxySSLCiphers
Below is my current configuration
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
Add the text “:@SECLEVEL=0” at the end
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4:@SECLEVEL=0'
Restart zimbra services
zmcontrol restart
# Method 2: Adding Configuration to the openssl.cnf File
Run as root. Disable FIPS provider
cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Open openssl.cnf file
vi /opt/zimbra/common/etc/ssl/openssl.cnf
Add the following line at the bottom
SECLEVEL=0 [openssl_init] ssl_conf = ssl_sect [ssl_sect] system_default = system_default_sect [system_default_sect] CipherString = DEFAULT:@SECLEVEL=0
Restart zimbra services
su - zimbra -c 'zmcontrol restart'
# Method 3: Replace OpenSSL
I manually compiled OpenSSL to support weak ciphers and 3DES.
Download OpenSSL that has been compiled from here: https://github.com/imanudin11/downloads. Please adjust with your OS. Save it on /opt folder
For example, I use Ubuntu 20.04
Run as Root. Disable FIPS Provider
cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Backup the current libssl
mkdir /opt/zimbra/common/lib/backup-openssl/ cp /opt/zimbra/common/lib/libcrypto.so.3 /opt/zimbra/common/lib/backup-openssl/libcrypto.so.3-`date +"%Y%m%d%H%M%S"` cp /opt/zimbra/common/lib/libssl.so.3 /opt/zimbra/common/lib/backup-openssl/libssl.so.3-`date +"%Y%m%d%H%M%S"`
Replace OpenSSL
cd /opt/ tar -xvf openssl309-ubuntu20.tgz cd /opt/openssl309/lib64/ cp libssl.so.3 /opt/zimbra/common/lib/
Restart zimbra services
su - zimbra -c 'zmcontrol restart'
If there are issues when restarting the Zimbra, try copying the libcrypto.so.3 file as well and then restarting the service
cp libcrypto.so.3 /opt/zimbra/common/lib/
– Testing
Check if 3DES is already available.
openssl ciphers -v ALL | grep -i 3des
Test connection
openssl s_client -connect `hostname -f`:993 -tls1 openssl s_client -connect `hostname -f`:993 -tls1_1
Good luck 🙂
Source:
– NEW! Patch for Zimbra Daffodil 10.0.2, 9.0.0 Patch-34 & 8.8.15 Patch-41
– Zimbra 8.8.15 Patch-41 released, share your experience
Thank you very, very much for sharing how you solved this problem. I did procedure 3 on Centos 7 and it enabled TLSv1 and TLSv1.1.
Man! thx so much for you post!!
Solved my problem!
I follow you for many yers! U job is great!
Hi Iman,
Can you provide some details to enable Zimbra Two-Factor Authentication (2FA)?
I am using Release 8.8.15 FOSS edition and wanted to enable the 2FA on my server.
Hello, you can follow this one: https://imanudin.net/2023/09/23/two-factor-authentication-for-zimbra-open-source-edition/
I tried Method #1/#2 and could not get Outlook 2016 to work on Windows 7.
I tried running
openssl s_client -connect `hostname -f`:993 -tls1_1
CONNECTED(00000003)
139891355219776:error:1409442E:SSL routines:ssl3_read_bytes:tlsv1 alert protocol version:ssl/record/rec_layer_s3.c:1544:SSL alert number 70
—
no peer certificate available
—
No client certificate CA names sent
—
SSL handshake has read 7 bytes and written 134 bytes
Verification: OK
—
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.1
Cipher : 0000
Session-ID:
Session-ID-ctx:
Master-Key:
PSK identity: None
PSK identity hint: None
SRP username: None
Start Time: 1702969253
Timeout : 7200 (sec)
Verify return code: 0 (ok)
Extended master secret: no
—
Hello,
Please try the third method