Disable DH 1024

Revision as of 07:45, 12 December 2022 by Barry de Graaff (talk | contribs) (→‎Problem)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Disable diffie helman (DH 1024) at mailbox level

   KB 24489        Last updated on 2022-12-12  

(0 votes)


Updating "zimbraSSLDHParam" affects at proxy level only. In case you want steps to configure the proxy and other Internet facing services read: https://wiki.zimbra.com/wiki/Cipher_suites. In below article you find steps on how to update diffie helman (DH) key size at mailbox level.


By adding "jdk.tls.ephemeralDHKeySize" into the mailboxd_java_options DH key size can be changed (or disable weak DH 1024) at mailbox level.


These commands are restricted to run on mailbox servers only.

JDK 17 supports max key size value 2048.

Step 1:

Get existing value of the mailboxd_java_options.
$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED

Step 2:

Add "-Djdk.tls.ephemeralDHKeySize=2048" to mailboxd_java_options.
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"

Step 3:

Restart mailbox services
$ zmmailboxdctl restart

Step 4:

Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com

Ref: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#jsse-impl-security-property

Further Reading: Update DH parameters at proxy level


Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2022-12-01
Article ID: https://wiki.zimbra.com/index.php?title=Disable_DH_1024 Date Modified: 2022-12-12

Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »

Jump to: navigation, search