Disabling the use of weak DH keys in Zimbra Collaboration mailboxd

Revision as of 02:58, 18 July 2015 by Plobbes (talk | contribs) (Disabling the use of ephemeral DH keys in mailboxd)

Disabling the use of ephemeral DH keys in mailboxd

   KB 22117        Last updated on 2015-07-18  




0.00
(0 votes)

Background

Mozilla Firefox 39.0 was released on June 30, 2015. With this release, connections to servers using weak ephemeral Diffie-Hellman (DH) keys are blocked by default. See the Mozilla Release Notes and detailed accompanying change list for details. Here are some specific related bugs/enhancements/changes for those interested:

  • FF Bug 1138554 (CVE-2015-4000) NSS accepts export-length DHE keys with regular DHE cipher suites
  • FF Bug 1106470 Drop SSLv3 support entirely
  • FF Bug 1153964 allow unrestricted RC4 fallback in beta and release
    • NOTE: a future release is expected to disallow RC4 ciphers, or possibly enable RC4 for a temporarily set of whitelisted hosts.

Chrome 45 (in the "dev channel" since early June 2015) is slated to present users with a ERR_SSL_WEAK_SERVER_EPHEMERAL_DH_KEY error:

Example Error

In Firefox 39.0+, you may see the following error message when trying to connect a Zimbra Collaboration 7.x or previous versions:


Secure Connection Failed

An error occurred during a connection to YOUR IP. SSL received a weak ephemeral Diffie-Hellman key in Server Key Exchange handshake message. (Error code: ssl_error_weak_server_ephemeral_dh_key)

  • The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
  • Please contact the website owners to inform them of this problem.

Mozilla-error-oldzcs-001.png

Resolution

You have different steps to resolve the issue:

Workaround: Disable DHE ciphers in the Zimbra Collaboration Server

Disabling the insecure ciphers, will make Firefox happy again:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA
zmmailboxdctl restart

You will see the Web Client again:

Mozilla-error-oldzcs-004.png

Recommended: Upgrade ZCS

The recommended step is upgrade to the latest supported Zimbra Collaboration version, as Zimbra Collaboration 7.x was EOL'd in March 2015.

Mozilla-error-oldzcs-002.png

If you want to upgrade, we had an special Webinar that will help you with the process:

Not Recommended: Mozilla Firefox fix per each client

Not recommended: To disable the new introduced option in Mozilla Firefox, you need to do it in each Web Browser that uses your Zimbra Collaboration Server:

Type about:config in your Firefox web browser, in the address bar. Be careful as you can break your Firefox Configuration easier. Change the next settings with the next values:

security.ssl3.dhe_rsa_aes_128_sha=false
security.ssl3.dhe_rsa_aes_256_sha=false

Not recommended: enable HTTP & HTTPS

Not recommended: You can set the zmtlsctl to both, to enable HTTP traffic to your server, users will be able to connect using Firefox 39, previous or above versions using HTTP. Like zimbra user:

zmtlsctl both
zmcontrol restart

The use of HTTPS only is recommended.

Additional Content

Verified Against: Zimbra Collaboration 7.x and previous Date Created: 07/06/2015
Article ID: https://wiki.zimbra.com/index.php?title=Disabling_the_use_of_weak_DH_keys_in_Zimbra_Collaboration_mailboxd Date Modified: 2015-07-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge SME2 Phil Last edit by Plobbes
Jump to: navigation, search