Disable DH 1024: Difference between revisions
Line 11: | Line 11: | ||
'''Notes:''' | '''Notes:''' | ||
These commands are restricted to run on mailbox servers only. | These commands are restricted to run on mailbox servers only. | ||
JDK 17 supports max key size value 2048. | |||
'''Step 1:''' | '''Step 1:''' | ||
Line 32: | Line 35: | ||
:Verify using nmap | :Verify using nmap | ||
:<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre> | :<pre>nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com</pre> | ||
'''Ref:''' | |||
https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#jsse-impl-security-property | |||
'''Further Reading:''' | '''Further Reading:''' |
Revision as of 11:31, 1 December 2022
Disable diffie helman (DH 1024) at mailbox level
Problem
Updating "zimbraSSLDHParam
" affects at proxy level only. So how to update diffie helman (DH) key size at mailbox level.
Solution
By adding "jdk.tls.ephemeralDHKeySize
" into the mailboxd_java_options
DH key size can be changed (or disable weak DH 1024) at mailbox level.
Notes:
These commands are restricted to run on mailbox servers only.
JDK 17 supports max key size value 2048.
Step 1:
- Get existing value of the
mailboxd_java_options
.
- Example:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED
Step 2:
- Add "
-Djdk.tls.ephemeralDHKeySize=2048
" tomailboxd_java_options
.
- Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"
Step 3:
- Restart mailbox services
$ zmmailboxdctl restart
Step 4:
- Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com
Further Reading: Update DH parameters at proxy level
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters
Submitted by: Raghu Noti |