Disable DH 1024: Difference between revisions

(Created page with "=Disable diffie helman (DH 1024) at mailbox level= <hr> {{KB|{{WIP}}|{{ZCS 8.8}}|{{ZCS 9.0}}}} <hr> __FORCETOC__ ====Problem==== Updating "zimbraSSLDHParam" affects at proxy...")
 
Line 14: Line 14:


'''Step 1:'''
'''Step 1:'''
Get existing value of the mailboxd_java_options.
:Get existing value of the <code>mailboxd_java_options</code>.


Example:
:Example:
<pre>$ zmlocalconfig mailboxd_java_options&#10;mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED</pre>
:<pre>$ zmlocalconfig mailboxd_java_options&#10;mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED</pre>


'''Step 2:'''
'''Step 2:'''
Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".
:Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".


Example:
:Example:
<pre>$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"</pre>
:<pre>$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"</pre>


'''Step 3:'''
'''Step 3:'''
Restart mailbox services
:Restart mailbox services
<pre>$ zmmailboxdctl restart</pre>
:<pre>$ zmmailboxdctl restart</pre>


'''Step 4:'''
'''Step 4:'''
Verify using nmap
:Verify using nmap
<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre>
:<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre>


Ref:
'''Further Reading:'''
Update DH parameters at proxy level
Update DH parameters at proxy level
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters


Revision as of 10:14, 1 December 2022

Disable diffie helman (DH 1024) at mailbox level

   KB 24489        Last updated on 2022-12-1  




0.00
(0 votes)

Problem

Updating "zimbraSSLDHParam" affects at proxy level only. So how to update diffie helman (DH) key size at mailbox level.

Solution

By adding "jdk.tls.ephemeralDHKeySize" into the mailboxd_java_options DH key size can be changed (or disable weak DH 1024) at mailbox level.

Notes: These commands are restricted to run on mailbox servers only.

Step 1:

Get existing value of the mailboxd_java_options.
Example:
$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED

Step 2:

Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".
Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"

Step 3:

Restart mailbox services
$ zmmailboxdctl restart

Step 4:

Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com

Further Reading: Update DH parameters at proxy level

https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters

Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2022-12-01
Article ID: https://wiki.zimbra.com/index.php?title=Disable_DH_1024 Date Modified: 2022-12-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Retrieved from "http://wiki.zimbra.com/index.php?title=Disable_DH_1024&oldid=69371"
Jump to: navigation, search