Disabling the use of weak DH keys in Zimbra Collaboration mailboxd

Revision as of 14:51, 6 July 2015 by Jorge de la Cruz (talk | contribs) (Purpose)

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 7.0 Article ZCS 7.0 ZCS 6.0 Article ZCS 6.0


How to fix Mozilla Firefox error - ssl error weak server ephemeral dh key

Purpose

Since the 30th of June of 2015, Mozilla Firefox doesn't support anmore connect to a server with weak DH ciphers, as per Mozilla Release Notes:

  • Removed support for insecure SSLv3 for network communications
  • Disable use of RC4 except for temporarily whitelisted hosts

You will see the next error message trying to connect a Zimbra Collaboration 7.x or previous versions:

Secure Connection Failed

An error occurred during a connection to 192.168.211.135. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

    The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
    Please contact the website owners to inform them of this problem.

Mozilla-error-oldzcs-001.png

Resolution

You have different steps to resolve the issue:

Mozilla-error-oldzcs-002.png

If you want to Upgrade, we had an special Webinar that will help you with the process - https://community.zimbra.com/collaboration/f/1884/t/1139230

  • 2.- The second one is disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:

Type about:config in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier. Change the next settings with the next values:

security.ssl3.dhe_rsa_aes_128_sha=false
security.ssl3.dhe_rsa_aes_256_sha=false
  • 3.- Not recommended, you can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP.

Like zimbra user:

zmtlsctl both
zmcontrol restart

Additional Content


Verified Against: Zimbra Collaboration 7.x and previous Date Created: 06/07/2015
Article ID: https://wiki.zimbra.com/index.php?title=Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd Date Modified: 2015-07-06



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search