Disabling the use of weak DH keys in Zimbra Collaboration mailboxd
Revision as of 14:47, 6 July 2015 by Jorge de la Cruz (talk | contribs) (Created page with "{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 7.0}}|{{ZCS 6.0}}|}} =How to fix Mozilla Firefox error - ssl error weak server ephemeral dh key= ==Purpose== Since the 30th of June of...")
- This article is a Work in Progress, and may be unfinished or missing sections.
 Article Information |
|---|
| This article applies to the following ZCS versions. |
How to fix Mozilla Firefox error - ssl error weak server ephemeral dh key
Purpose
Since the 30th of June of 2015, Mozilla Firefox doesn't support anmore connect to a server with weak DH ciphers, as per Mozilla Release Notes:
- Removed support for insecure SSLv3 for network communications
- Disable use of RC4 except for temporarily whitelisted hosts
You will see the next error message trying to connect a Zimbra Collaboration 7.x or previous versions:
Resolution
You have different steps to resolve the issue:
- 1.- The first, and recommended, one is upgrade to a Supported Zimbra Collaboration version, 8.x, as Zimbra Collaboration 7.x is EOL since March this year.
- 2.- The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:
Type about:config in your Firefox web browser. Change the next settings with the next values:
security.ssl3.dhe_rsa_aes_128_sha=false security.ssl3.dhe_rsa_aes_256_sha=false
- 3.- Not recommended, you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.
Like zimbra user:
zmtlsctl both zmcontrol restart
Additional Content
- Mozilla Firefox Release Notes for the version 39 - https://www.mozilla.org/en-US/firefox/39.0/releasenotes/
- Mozilla Firefox Bugzilla 587407 about the change - https://bugzilla.mozilla.org/show_bug.cgi?id=587407
