Disable DH 1024
Disable diffie helman (DH 1024) at mailbox level
Problem
Updating "zimbraSSLDHParam
" affects at proxy level only. So how to update diffie helman (DH) key size at mailbox level.
Solution
By adding "jdk.tls.ephemeralDHKeySize
" into the mailboxd_java_options
DH key size can be changed (or disable weak DH 1024) at mailbox level.
Notes: These commands are restricted to run on mailbox servers only.
Step 1:
- Get existing value of the
mailboxd_java_options
.
- Example:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED
Step 2:
- Update mailboxd_java_options with "-Djdk.tls.ephemeralDHKeySize=2048".
- Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"
Step 3:
- Restart mailbox services
$ zmmailboxdctl restart
Step 4:
- Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com
Further Reading: Update DH parameters at proxy level
https://wiki.zimbra.com/wiki/Cipher_suites#DH_parameters
Submitted by: Raghu Noti |