Difference between revisions of "Disabling the use of weak DH keys in Zimbra Collaboration mailboxd"

(In the Zimbra Collaboration Server)
(added notes about chrome; updated wording; updated title)
Line 1: Line 1:
 
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}
 
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}}
=How to fix Mozilla Firefox error - ssl error weak server ephemeral dh key=
+
= Disabling the use of ephemeral DH keys in mailboxd =
==Purpose==
+
== Background ==
Since the 30th of June of 2015, Mozilla Firefox doesn't support connections to a server with weak DH ciphers anymore, as per [https://www.mozilla.org/en-US/firefox/39.0/releasenotes/ Mozilla Release Notes]:
+
Mozilla Firefox 39.0 was released on June 30, 2015.  With this release, connections to servers using weak ephemeral Diffie-Hellman (DH) keys are blocked by default.  See the [https://www.mozilla.org/en-US/firefox/39.0/releasenotes/ Mozilla Release Notes] and detailed accompanying change list for details.  Here are some specific related bugs/enhancements/changes for those interested:
* Removed support for insecure SSLv3 for network communications
+
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1138554 FF Bug 1138554] (CVE-2015-4000) NSS accepts export-length DHE keys with regular DHE cipher suites
* Disable use of RC4 except for temporarily whitelisted hosts
+
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1106470 FF Bug 1106470] Drop SSLv3 support entirely
 +
* [https://bugzilla.mozilla.org/show_bug.cgi?id=1153964 FF Bug 1153964] allow unrestricted RC4 fallback in beta and release
 +
** NOTE: a future release is expected to disallow RC4 ciphers, or possibly enable RC4 for a temporarily set of whitelisted hosts.
  
You will see the next error message trying to connect a Zimbra Collaboration 7.x or previous versions:
+
Chrome 45 (in the [http://googlechromereleases.blogspot.com/2015/06/dev-channel-update_23.html "dev channel"] since early June 2015) is slated to present users with a ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error:
<pre>
+
* https://www.chromium.org/administrators/err_ssl_weak_server_ephemeral_dh_key
 +
* See also this thread:
 +
** https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s - Increasing the minimum TLS DH group size to 1024 bits.
 +
 
 +
== Example Error ==
 +
In Firefox 39.0+, you may see the following error message when trying to connect a Zimbra Collaboration 7.x or previous versions:
 +
<blockquote>
 +
----
 
Secure Connection Failed
 
Secure Connection Failed
  
Line 13: Line 22:
  
 
* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
 
* The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
* Please contact the website owners to inform them of this problem.</pre>
+
* Please contact the website owners to inform them of this problem.
 
+
----
 +
</blockquote>
  
 
[[File:Mozilla-error-oldzcs-001.png]]
 
[[File:Mozilla-error-oldzcs-001.png]]
  
==Resolution==
+
== Resolution ==
 
You have different steps to resolve the issue:
 
You have different steps to resolve the issue:
===In the Zimbra Collaboration Server===
+
 
Disabling the insecure Ciphers, will make Firefox happy again:
+
=== Workaround: Disable DHE ciphers in the Zimbra Collaboration Server ===
 +
Disabling the insecure ciphers, will make Firefox happy again:
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
 +
zmmailboxdctl restart
 +
 +
OR
 +
 +
zmprov mcf +zimbraSSLExcludeCipherSuites '.*_DHE_.*'
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
Line 30: Line 46:
 
[[File:Mozilla-error-oldzcs-004.png]]
 
[[File:Mozilla-error-oldzcs-004.png]]
  
===Upgrade is also a recommended way===
+
=== Recommended: Upgrade ZCS ===
The '''recommended''' step is upgrade to a Supported Zimbra Collaboration version, 8.x, as Zimbra Collaboration [https://www.zimbra.com/support/support-offerings/product-lifecycle '''7.x is EOL since March this year'''].
+
The '''recommended''' step is upgrade to the latest supported Zimbra Collaboration version, as Zimbra Collaboration 7.x was [https://www.zimbra.com/support/support-offerings/product-lifecycle '''EOL'd in March 2015'''].
  
 
[[File:Mozilla-error-oldzcs-002.png|800px]]
 
[[File:Mozilla-error-oldzcs-002.png|800px]]
  
If you want to Upgrade, we had an special Webinar that will help you with the process - [https://community.zimbra.com/collaboration/f/1884/t/1139230 '''https://community.zimbra.com/collaboration/f/1884/t/1139230''']
+
If you want to upgrade, we had an special Webinar that will help you with the process:
 +
* https://community.zimbra.com/collaboration/f/1884/t/1139230
  
===Mozilla Firefox fix per each client===
+
=== Not Recommended: Mozilla Firefox fix per each client ===
The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
+
'''Not recommended''': To disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
  
 
Type '''about:config''' in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier.
 
Type '''about:config''' in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier.
Line 45: Line 62:
 
  security.ssl3.dhe_rsa_aes_256_sha=false
 
  security.ssl3.dhe_rsa_aes_256_sha=false
  
===Not recommended, enable HTTP & HTTPS===
+
=== Not recommended: enable HTTP & HTTPS ===
'''Not recommended''', you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.
+
'''Not recommended''': You can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.
 
Like zimbra user:
 
Like zimbra user:
 
  zmtlsctl both
 
  zmtlsctl both
 
  zmcontrol restart
 
  zmcontrol restart
  
==Additional Content==
+
The use of HTTPS only is recommended.
* Mozilla Firefox Release Notes for the version 39 - [https://www.mozilla.org/en-US/firefox/39.0/releasenotes/ https://www.mozilla.org/en-US/firefox/39.0/releasenotes/]
 
* Mozilla Firefox Bugzilla 587407 about the change - [https://bugzilla.mozilla.org/show_bug.cgi?id=587407 https://bugzilla.mozilla.org/show_bug.cgi?id=587407]
 
  
 +
== Additional Content ==
 +
* Mozilla Firefox Release Notes for the version 39 - https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
 +
* Mozilla Firefox Bugzilla 587407 about the change - https://bugzilla.mozilla.org/show_bug.cgi?id=587407
  
 
{{Article Footer|Zimbra Collaboration 7.x and previous |07/06/2015}}
 
{{Article Footer|Zimbra Collaboration 7.x and previous |07/06/2015}}
 
{{NeedSME|SME1|SME2|Copyeditor}}
 
{{NeedSME|SME1|SME2|Copyeditor}}

Revision as of 03:52, 7 July 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0


Disabling the use of ephemeral DH keys in mailboxd

Background

Mozilla Firefox 39.0 was released on June 30, 2015. With this release, connections to servers using weak ephemeral Diffie-Hellman (DH) keys are blocked by default. See the Mozilla Release Notes and detailed accompanying change list for details. Here are some specific related bugs/enhancements/changes for those interested:

  • FF Bug 1138554 (CVE-2015-4000) NSS accepts export-length DHE keys with regular DHE cipher suites
  • FF Bug 1106470 Drop SSLv3 support entirely
  • FF Bug 1153964 allow unrestricted RC4 fallback in beta and release
    • NOTE: a future release is expected to disallow RC4 ciphers, or possibly enable RC4 for a temporarily set of whitelisted hosts.

Chrome 45 (in the "dev channel" since early June 2015) is slated to present users with a ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error:

Example Error

In Firefox 39.0+, you may see the following error message when trying to connect a Zimbra Collaboration 7.x or previous versions:


Secure Connection Failed

An error occurred during a connection to YOUR IP. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

Mozilla-error-oldzcs-001.png

Resolution

You have different steps to resolve the issue:

Workaround: Disable DHE ciphers in the Zimbra Collaboration Server

Disabling the insecure ciphers, will make Firefox happy again:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
zmmailboxdctl restart

OR

zmprov mcf +zimbraSSLExcludeCipherSuites '.*_DHE_.*'
zmmailboxdctl restart

You will see the Web Client again:

Mozilla-error-oldzcs-004.png

Recommended: Upgrade ZCS

The recommended step is upgrade to the latest supported Zimbra Collaboration version, as Zimbra Collaboration 7.x was EOL'd in March 2015.

Mozilla-error-oldzcs-002.png

If you want to upgrade, we had an special Webinar that will help you with the process:

Not Recommended: Mozilla Firefox fix per each client

Not recommended: To disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:

Type about:config in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier. Change the next settings with the next values:

security.ssl3.dhe_rsa_aes_128_sha=false
security.ssl3.dhe_rsa_aes_256_sha=false

Not recommended: enable HTTP & HTTPS

Not recommended: You can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP. Like zimbra user:

zmtlsctl both
zmcontrol restart

The use of HTTPS only is recommended.

Additional Content

Verified Against: Zimbra Collaboration 7.x and previous Date Created: 07/06/2015
Article ID: https://wiki.zimbra.com/index.php?title=Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd Date Modified: 2015-07-07



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Plobbes
Jump to: navigation, search