Cipher suites: Difference between revisions
Line 3: | Line 3: | ||
= Enable Strong Ciphers = | = Enable Strong Ciphers = | ||
To enable strong ciphers, weak ciphers must be disabled. | To enable strong ciphers, weak ciphers must be disabled. It is best practise to run a SSL/TLS cipher scan first to see which ciphers your server currently supports. | ||
As of today it is recommended to test HTTPS/SSL against multiple checks: | As of today it is recommended to test HTTPS/SSL against multiple checks: | ||
Line 12: | Line 12: | ||
[https://ssltools.websecurity.symantec.com/checker/#home Verisgin/Symantec] | [https://ssltools.websecurity.symantec.com/checker/#home Verisgin/Symantec] | ||
Once the supported weak ciphers are determined, they can be disabled one by one system wide using the '''zimbraSSLExcludeCipherSuites''' global directory attribute. | |||
To disable weak ciphers use the ''zmprov'' command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values. | To disable weak ciphers use the ''zmprov'' command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values. | ||
Line 26: | Line 28: | ||
su - zimbra | su - zimbra | ||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA | zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA | ||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | ||
Line 43: | Line 44: | ||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 | ||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA | ||
zmmailboxdctl restart | zmmailboxdctl restart | ||
We're working on Jetty Configuration to get at least an A- Rating at [https://www.ssllabs.com/ssltest/index.html SSL Labs (Qualsys)]. | We're working on Jetty Configuration to get at least an A- Rating at [https://www.ssllabs.com/ssltest/index.html SSL Labs (Qualsys)]. | ||
--[[User:Managedhosting de|Managedhosting de]] ([[User talk:Managedhosting de|talk]]) 20:11, 23 April 2014 (UTC) | |||
= Bugs = | = Bugs = |
Revision as of 20:11, 23 April 2014
Introduction
By default, the Zimbra mailbox server, zmmailboxd, supports both strong and weak SSL/TLS cipher suites for IMAPS, POP3S, and HTTPS. A typical security requirement is to disable weak ciphers which usually includes SSL versions prior to SSLv3 and any cipher not supporting at least 128 bit.
Enable Strong Ciphers
To enable strong ciphers, weak ciphers must be disabled. It is best practise to run a SSL/TLS cipher scan first to see which ciphers your server currently supports.
As of today it is recommended to test HTTPS/SSL against multiple checks:
Once the supported weak ciphers are determined, they can be disabled one by one system wide using the zimbraSSLExcludeCipherSuites global directory attribute.
To disable weak ciphers use the zmprov command. Be sure to prefix the attribute name with "+" when using mcf to keep existing values.
su - zimbra zmprov mcf +zimbraSSLExcludeCipherSuites <cipher1> zmprov mcf +zimbraSSLExcludeCipherSuites <cipher2> zmprov mcf +zimbraSSLExcludeCipherSuites <cipher...> zmprov mcf +zimbraSSLExcludeCipherSuites <cipherN> zmmailboxdctl restart
This is the current listing as of ZCS 8.0.7 according to SSL Verification test by Qualsys SSL Test
su - zimbra zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA zmmailboxdctl restart
We're working on Jetty Configuration to get at least an A- Rating at SSL Labs (Qualsys).
--Managedhosting de (talk) 20:11, 23 April 2014 (UTC)
Bugs
Prior to ZCS 5.0.10, the zimbraSSLExcludeCipherSuites attribute values are not picked up by the Jetty configuration for HTTPS. To fix, replace all occurrences of zimbraSSLExcludeCipherSuites with zimbraSSLExcludeCipherSuitesXML in /opt/zimbra/jetty/etc/jetty.xml.in.
cd /opt/zimbra/jetty/etc sed 's/%%zimbraSSLExcludeCipherSuites%%/%%zimbraSSLExcludeCipherSuitesXML%%/g' jetty.xml.in > /tmp/jetty.xml.in.new cp jetty.xml.in /tmp/jetty.xml.in.old mv /tmp/jetty.xml.in.new jetty.xml.in zmmailboxdctl restart
Please see bug 30691 for more details.
References
J2SE cipher list http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html#SunJSSE
OpenSSL ciphers list http://openssl.org/docs/apps/ciphers.html#SSL_v3_0_cipher_suites_