Disable DH 1024
Disable diffie helman (DH 1024) at mailbox level
Problem
Updating "zimbraSSLDHParam" affects at proxy level only. So how to update diffie helman (DH) key size at mailbox level.
Solution
By adding "jdk.tls.ephemeralDHKeySize
" into the mailboxd_java_options
DH key size can be changed (or disable weak DH 1024) at mailbox level.
Notes: These commands are restricted to run on mailbox servers only.
Step 1:
- Get existing value of the
mailboxd_java_options
.
- Example:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED
Step 2:
- Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".
- Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"
Step 3:
- Restart mailbox services
$ zmmailboxdctl restart
Step 4:
- Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com
Further Reading: Update DH parameters at proxy level
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters
Submitted by: Raghu Noti |