Difference between revisions of "Disabling the use of weak DH keys in Zimbra Collaboration mailboxd"

(Additional Content)
Line 19: Line 19:
 
==Resolution==
 
==Resolution==
 
You have different steps to resolve the issue:
 
You have different steps to resolve the issue:
*'''1.-''' The first, '''and recommended''', one is upgrade to a Supported Zimbra Collaboration version, 8.x, as Zimbra Collaboration [https://www.zimbra.com/support/support-offerings/product-lifecycle '''7.x is EOL since March this year'''].
+
===Recommended way - Upgrade===
 +
The first, '''and recommended''', one is upgrade to a Supported Zimbra Collaboration version, 8.x, as Zimbra Collaboration [https://www.zimbra.com/support/support-offerings/product-lifecycle '''7.x is EOL since March this year'''].
  
 
[[File:Mozilla-error-oldzcs-002.png|800px]]
 
[[File:Mozilla-error-oldzcs-002.png|800px]]
Line 25: Line 26:
 
If you want to Upgrade, we had an special Webinar that will help you with the process - [https://community.zimbra.com/collaboration/f/1884/t/1139230 '''https://community.zimbra.com/collaboration/f/1884/t/1139230''']
 
If you want to Upgrade, we had an special Webinar that will help you with the process - [https://community.zimbra.com/collaboration/f/1884/t/1139230 '''https://community.zimbra.com/collaboration/f/1884/t/1139230''']
  
*'''2.-''' The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
+
===Mozilla Firefox fix per each client===
 +
The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
 
Type '''about:config''' in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier.
 
Type '''about:config''' in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier.
 
Change the next settings with the next values:
 
Change the next settings with the next values:
Line 31: Line 33:
 
  security.ssl3.dhe_rsa_aes_256_sha=false
 
  security.ssl3.dhe_rsa_aes_256_sha=false
  
*'''3.-''' '''Not recommended''', you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.
+
===Not recommended, enable HTTP & HTTPS===
 +
'''Not recommended''', you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.
 
Like zimbra user:
 
Like zimbra user:
 
  zmtlsctl both
 
  zmtlsctl both

Revision as of 15:40, 6 July 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0


How to fix Mozilla Firefox error - ssl error weak server ephemeral dh key

Purpose

Since the 30th of June of 2015, Mozilla Firefox doesn't support connections to a server with weak DH ciphers anymore, as per Mozilla Release Notes:

  • Removed support for insecure SSLv3 for network communications
  • Disable use of RC4 except for temporarily whitelisted hosts

You will see the next error message trying to connect a Zimbra Collaboration 7.x or previous versions: 

Secure Connection Failed

An error occurred during a connection to YOUR IP. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
* Please contact the website owners to inform them of this problem.

Mozilla-error-oldzcs-001.png

Resolution

You have different steps to resolve the issue:

Recommended way - Upgrade

The first, and recommended, one is upgrade to a Supported Zimbra Collaboration version, 8.x, as Zimbra Collaboration 7.x is EOL since March this year.

Mozilla-error-oldzcs-002.png

If you want to Upgrade, we had an special Webinar that will help you with the process - https://community.zimbra.com/collaboration/f/1884/t/1139230

Mozilla Firefox fix per each client

The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:

Type about:config in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier. Change the next settings with the next values: 

security.ssl3.dhe_rsa_aes_128_sha=false
security.ssl3.dhe_rsa_aes_256_sha=false

Not recommended, enable HTTP & HTTPS

Not recommended, you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP. Like zimbra user: 

zmtlsctl both
zmcontrol restart

Additional Content


Verified Against: Zimbra Collaboration 7.x and previous Date Created: 07/06/2015
Article ID: https://wiki.zimbra.com/index.php?title=Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd Date Modified: 2015-07-06



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Jorge de la Cruz
Retrieved from "https://wiki.zimbra.com/index.php?title=Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd&oldid=59654"
Jump to: navigation, search