Disable DH 1024: Difference between revisions
(Created page with "=Disable diffie helman (DH 1024) at mailbox level= <hr> {{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}}} <hr> __FORCETOC__ ====Problem==== Updating "zimbraSSLDHParam" affects at proxy...") |
|||
Line 14: | Line 14: | ||
'''Step 1:''' | '''Step 1:''' | ||
Get existing value of the mailboxd_java_options. | :Get existing value of the <code>mailboxd_java_options</code>. | ||
Example: | :Example: | ||
<pre>$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED</pre> | :<pre>$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED</pre> | ||
'''Step 2:''' | '''Step 2:''' | ||
Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048". | :Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048". | ||
Example: | :Example: | ||
<pre>$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"</pre> | :<pre>$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"</pre> | ||
'''Step 3:''' | '''Step 3:''' | ||
Restart mailbox services | :Restart mailbox services | ||
<pre>$ zmmailboxdctl restart</pre> | :<pre>$ zmmailboxdctl restart</pre> | ||
'''Step 4:''' | '''Step 4:''' | ||
Verify using nmap | :Verify using nmap | ||
<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre> | :<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre> | ||
'''Further Reading:''' | |||
Update DH parameters at proxy level | Update DH parameters at proxy level | ||
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters | https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters | ||
Revision as of 10:14, 1 December 2022
Disable diffie helman (DH 1024) at mailbox level
Problem
Updating "zimbraSSLDHParam" affects at proxy level only. So how to update diffie helman (DH) key size at mailbox level.
Solution
By adding "jdk.tls.ephemeralDHKeySize
" into the mailboxd_java_options
DH key size can be changed (or disable weak DH 1024) at mailbox level.
Notes: These commands are restricted to run on mailbox servers only.
Step 1:
- Get existing value of the
mailboxd_java_options
.
- Example:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED
Step 2:
- Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".
- Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"
Step 3:
- Restart mailbox services
$ zmmailboxdctl restart
Step 4:
- Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com
Further Reading: Update DH parameters at proxy level
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters
Submitted by: Raghu Noti |