Cipher suites: Difference between revisions

No edit summary
Line 3: Line 3:


= Enable Strong Ciphers =
= Enable Strong Ciphers =
To enable strong ciphers, weak ciphers must be disabled.  It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports.  Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute.   
To enable strong ciphers, weak ciphers must be disabled.  It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports.  Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute.
 
As of today it is recommended to test HTTPS/SSL against multiple checks:
 
[https://www.ssllabs.com/ssltest/index.html SSL Labs (Qualsys)]
   
[https://sslcheck.globalsign.com GlobalSign]
 
[https://ssltools.websecurity.symantec.com/checker/#home Verisgin/Symantec]
 
To disable weak ciphers use the ''zmprov'' command.  Be sure to prefix the attribute name with "+" when using mcf to keep existing values.


Disable weak ciphers using the ''zmprov'' command.  Be sure to prefix the attribute name with "+" when using mcf to keep existing values.
  su - zimbra
  su - zimbra
  zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
  zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
Line 13: Line 22:
  zmmailboxdctl restart
  zmmailboxdctl restart


Here is ciphers list that excludes SSLv2 and ciphers less than 128 bit for IMAPS, POP3S, and HTTPS. This list should pass all security scans, so please let  me know if it does not.
This is the current listing as of ZCS 8.0.7 according to SSL Verification test by
zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
[https://www.ssllabs.com/ssltest/index.html Qualsys SSL Test]
zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 
zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
  su - zimbra
zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 
zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 
  zmmailboxdctl restart


Additional security scans will show ciphers not excluded from the configuration.
We're working on Jetty Configuration to get at least an A- Rating at [https://www.ssllabs.com/ssltest/index.html SSL Labs (Qualsys)].


= Bugs =
= Bugs =

Revision as of 20:07, 23 April 2014

Introduction

By default, the Zimbra mailbox server, zmmailboxd, supports both strong and weak SSL/TLS cipher suites for IMAPS, POP3S, and HTTPS. A typical security requirement is to disable weak ciphers which usually includes SSL versions prior to SSLv3 and any cipher not supporting at least 128 bit.

Enable Strong Ciphers

To enable strong ciphers, weak ciphers must be disabled. It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports. Once the supported weak ciphers are determined, they can be disabled one by one system wide using the zimbraSSLExcludeCipherSuites global directory attribute.

As of today it is recommended to test HTTPS/SSL against multiple checks:

SSL Labs (Qualsys)

GlobalSign

Verisgin/Symantec

To disable weak ciphers use the zmprov command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values.

su - zimbra
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher...>
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN>
zmmailboxdctl restart

This is the current listing as of ZCS 8.0.7 according to SSL Verification test by Qualsys SSL Test

 su - zimbra
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA
 zmmailboxdctl restart

We're working on Jetty Configuration to get at least an A- Rating at SSL Labs (Qualsys).

Bugs

Prior to ZCS 5.0.10, the zimbraSSLExcludeCipherSuites attribute values are not picked up by the Jetty configuration for HTTPS. To fix, replace all occurrences of zimbraSSLExcludeCipherSuites with zimbraSSLExcludeCipherSuitesXML in /opt/zimbra/jetty/etc/jetty.xml.in.

cd /opt/zimbra/jetty/etc
sed 's/%%zimbraSSLExcludeCipherSuites%%/%%zimbraSSLExcludeCipherSuitesXML%%/g' jetty.xml.in > /tmp/jetty.xml.in.new
cp jetty.xml.in /tmp/jetty.xml.in.old
mv /tmp/jetty.xml.in.new jetty.xml.in
zmmailboxdctl restart

Please see bug 30691 for more details.

References

J2SE cipher list http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE

OpenSSL ciphers list http://openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_


Verified Against: Zimbra Collaboration Suite 5.0.9 Date Created: 10/1/2008
Article ID: https://wiki.zimbra.com/index.php?title=Cipher_suites Date Modified: 2014-04-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search