Cipher suites: Difference between revisions
(New page: = Introduction = By default, the Zimbra mailbox server, ''zmmailboxd'', supports both strong and weak SSL/TLS cipher suites for '''IMAPS''', '''POP3S''', and '''HTTPS'''. A typical securi...) |
|||
Line 5: | Line 5: | ||
To enable strong ciphers, weak ciphers must be disabled. It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports. Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute. | To enable strong ciphers, weak ciphers must be disabled. It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports. Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute. | ||
Disable weak ciphers using the ''zmprov'' command. | Disable weak ciphers using the ''zmprov'' command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values. | ||
su - zimbra | su - zimbra | ||
zmprov mcf zimbraSSLExcludeCipherSuites <cipher> | zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1> | ||
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2> | |||
zmprov mcf +zimbraSSLExcludeCipherSuites <cipher...> | |||
zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN> | |||
zmmailboxd restart | zmmailboxd restart | ||
Revision as of 00:13, 2 October 2008
Introduction
By default, the Zimbra mailbox server, zmmailboxd, supports both strong and weak SSL/TLS cipher suites for IMAPS, POP3S, and HTTPS. A typical security requirement is to disable weak ciphers which usually includes SSL versions prior to SSLv3 and any cipher not supporting at least 128 bit.
Enable Strong Ciphers
To enable strong ciphers, weak ciphers must be disabled. It is often best to run a SSL/TLS cipher scan first to see which ciphers your server currently supports. Once the supported weak ciphers are determined, they can be disabled one by one system wide using the zimbraSSLExcludeCipherSuites global directory attribute.
Disable weak ciphers using the zmprov command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values.
su - zimbra zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1> zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2> zmprov mcf +zimbraSSLExcludeCipherSuites <cipher...> zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN> zmmailboxd restart
Here is ciphers list that excludes SSLv2 and ciphers less than 128 bit for IMAPS, POP3S, and HTTPS. This list should pass all security scans, so please let me know if it does not.
zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
Additional security scans will show ciphers not excluded from the configuration.
Bugs
Prior to ZCS 5.0.10, the zimbraSSLExcludeCipherSuites attribute values are not picked up by the Jetty configuration for HTTPS. To fix, replace all occurrences of zimbraSSLExcludeCipherSuites with zimbraSSLExcludeCipherSuitesXML in /opt/zimbra/jetty/etc/jetty.xml.in.
cd /opt/zimbra/jetty/etc sed 's/%%zimbraSSLExcludeCipherSuites%%/%%zimbraSSLExcludeCipherSuitesXML%%/g' jetty.xml.in > /tmp/jetty.xml.in.new cp jetty.xml.in /tmp/jetty.xml.in.old mv /tmp/jetty.xml.in.new jetty.xml.in zmmailboxdctl restart
Please see bug 30691 for more details.
References
J2SE cipher list http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE
OpenSSL ciphers list http://openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_