Disabling the use of weak DH keys in Zimbra Collaboration mailboxd
|This article applies to the following ZCS versions.|
Disabling the use of ephemeral DH keys in mailboxd
Mozilla Firefox 39.0 was released on June 30, 2015. With this release, connections to servers using weak ephemeral Diffie-Hellman (DH) keys are blocked by default. See the Mozilla Release Notes and detailed accompanying change list for details. Here are some specific related bugs/enhancements/changes for those interested:
- FF Bug 1138554 (CVE-2015-4000) NSS accepts export-length DHE keys with regular DHE cipher suites
- FF Bug 1106470 Drop SSLv3 support entirely
- FF Bug 1153964 allow unrestricted RC4 fallback in beta and release
- NOTE: a future release is expected to disallow RC4 ciphers, or possibly enable RC4 for a temporarily set of whitelisted hosts.
Chrome 45 (in the "dev channel" since early June 2015) is slated to present users with a ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error:
- See also this thread:
- https://groups.google.com/a/chromium.org/forum/#!topic/security-dev/WyGIpevBV1s - Increasing the minimum TLS DH group size to 1024 bits.
In Firefox 39.0+, you may see the following error message when trying to connect a Zimbra Collaboration 7.x or previous versions:
Secure Connection Failed
An error occurred during a connection to YOUR IP. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)
- The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
- Please contact the website owners to inform them of this problem.
You have different steps to resolve the issue:
Workaround: Disable DHE ciphers in the Zimbra Collaboration Server
Disabling the insecure ciphers, will make Firefox happy again:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA zmmailboxdctl restart
You will see the Web Client again:
Recommended: Upgrade ZCS
The recommended step is upgrade to the latest supported Zimbra Collaboration version, as Zimbra Collaboration 7.x was EOL'd in March 2015.
If you want to upgrade, we had an special Webinar that will help you with the process:
Not Recommended: Mozilla Firefox fix per each client
Not recommended: To disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
Type about:config in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier. Change the next settings with the next values:
Not recommended: enable HTTP & HTTPS
Not recommended: You can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP. Like zimbra user:
zmtlsctl both zmcontrol restart
The use of HTTPS only is recommended.
- Mozilla Firefox Release Notes for the version 39 - https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
- Mozilla Firefox Bugzilla 587407 about the change - https://bugzilla.mozilla.org/show_bug.cgi?id=587407