https://wiki.zimbra.com/index.php?title=Fix_%22Weak_Cipher_Suite%22_warnings_during_server_startup&feed=atom&action=history
Fix "Weak Cipher Suite" warnings during server startup - Revision history
2024-03-28T10:20:25Z
Revision history for this page on the wiki
MediaWiki 1.39.0
https://wiki.zimbra.com/index.php?title=Fix_%22Weak_Cipher_Suite%22_warnings_during_server_startup&diff=66628&oldid=prev
Shanxt: /* Resolution */
2019-11-01T10:17:13Z
<p><span dir="auto"><span class="autocomment">Resolution</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 10:17, 1 November 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l42">Line 42:</td>
<td colspan="2" class="diff-lineno">Line 42:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Resolution==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Resolution==</div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr>
<tr><td colspan="2" class="diff-side-deleted"></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">Please apply this only if commercial certificates are being used across the entire environment. This may break communication between the proxy and mailbox server if self-signed certificates are used, or a mix of self-signed and commercial is being used.</ins></div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><br/></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The <span style="font-family:courier">gcf</span> and <span style="font-family:courier">mcf</span> global config attributes can be modified to exclude the weak ciphers as required. </div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>The <span style="font-family:courier">gcf</span> and <span style="font-family:courier">mcf</span> global config attributes can be modified to exclude the weak ciphers as required. </div></td></tr>
</table>
Shanxt
https://wiki.zimbra.com/index.php?title=Fix_%22Weak_Cipher_Suite%22_warnings_during_server_startup&diff=66449&oldid=prev
David Bingham: /* Fix Random LockFailException: Too many waiters error */
2019-07-02T15:20:43Z
<p><span dir="auto"><span class="autocomment">Fix Random LockFailException: Too many waiters error</span></span></p>
<table style="background-color: #fff; color: #202122;" data-mw="interface">
<col class="diff-marker" />
<col class="diff-content" />
<col class="diff-marker" />
<col class="diff-content" />
<tr class="diff-title" lang="en">
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">← Older revision</td>
<td colspan="2" style="background-color: #fff; color: #202122; text-align: center;">Revision as of 15:20, 2 July 2019</td>
</tr><tr><td colspan="2" class="diff-lineno" id="mw-diff-left-l2">Line 2:</td>
<td colspan="2" class="diff-lineno">Line 2:</td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>__FORCETOC__</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>__FORCETOC__</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div class="col-md-12 ibox-content"></div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div><div class="col-md-12 ibox-content"></div></td></tr>
<tr><td class="diff-marker" data-marker="−"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>=Fix <del style="font-weight: bold; text-decoration: none;">Random LockFailException: Too many waiters error</del>=</div></td><td class="diff-marker" data-marker="+"></td><td style="color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>=Fix <ins style="font-weight: bold; text-decoration: none;">"Weak Cipher Suite" warnings during server startup</ins>=</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{KB|{{ZC}}|{{ZCS 8.8}}|||}}</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>{{KB|{{ZC}}|{{ZCS 8.8}}|||}}</div></td></tr>
<tr><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Problem==</div></td><td class="diff-marker"></td><td style="background-color: #f8f9fa; color: #202122; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #eaecf0; vertical-align: top; white-space: pre-wrap;"><div>==Problem==</div></td></tr>
</table>
David Bingham
https://wiki.zimbra.com/index.php?title=Fix_%22Weak_Cipher_Suite%22_warnings_during_server_startup&diff=66448&oldid=prev
David Bingham: Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> =Fix Random LockFailException: Too many waiters error= {{KB|{{ZC}}|{{ZCS 8.8}}|||}} ==Problem== The Jetty se..."
2019-07-02T15:20:04Z
<p>Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> =Fix Random LockFailException: Too many waiters error= {{KB|{{ZC}}|{{ZCS 8.8}}|||}} ==Problem== The Jetty se..."</p>
<p><b>New page</b></p><div>{{BC|Certified}}<br />
__FORCETOC__<br />
<div class="col-md-12 ibox-content"><br />
=Fix Random LockFailException: Too many waiters error=<br />
{{KB|{{ZC}}|{{ZCS 8.8}}|||}}<br />
==Problem==<br />
The Jetty server was upgraded in Zimbra 8.8.15, and results in console warnings during server startup, reporting "Weak cipher suite" for ~20 suites.<br />
These are warnings only; there is no security exposure related to their presence.<br />
<pre><br />
2019-06-11 11:13:28.576:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11<br />
2019-06-11 11:13:28.606:INFO:oejs.AbstractConnector:main: Started ServerConnector@50ecde95{HTTP/1.1,[http/1.1]}{localhost:8080}<br />
2019-06-11 11:13:28.614:INFO:oejus.SslContextFactory:main: x509=X509@7f086b45(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.616:WARN:oejusS.config:main: No Client EndPointIdentificationAlgorithm configured for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Protocol SSLv2Hello not excluded for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] <br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]<br />
2019-06-11 11:13:28.621:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:8443}<br />
2019-06-11 11:13:28.629:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7071}<br />
2019-06-11 11:13:28.631:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7073}<br />
2019-06-11 11:13:28.637:INFO:oejs.AbstractConnector:main: Started ServerConnector@64ba3208{SSL,[ssl, http/1.1]}{0.0.0.0:7072}<br />
2019-06-11 11:13:28.637:INFO:oejs.Server:main: Started @13379ms<br />
</pre><br />
<br />
<br />
==Resolution==<br />
<br />
The <span style="font-family:courier">gcf</span> and <span style="font-family:courier">mcf</span> global config attributes can be modified to exclude the weak ciphers as required. <br />
Add or remove those values using '''zmprov''' as shown below:<br />
<br />
<pre><br />
zmprov gcf zimbraSSLExcludeCipherSuites<br />
zmprov mcf +zimbraSSLExcludeCipherSuites "^.*_(MD5|SHA|SHA1)$" +zimbraSSLExcludeCipherSuites "^TLS_RSA_.*"<br />
zmprov gcf zimbraMailboxdSSLProtocols<br />
zmprov mcf -zimbraMailboxdSSLProtocols "SSLv2Hello"<br />
</pre><br />
<br />
The warnings will no longer appear on subsequent restarts.<br />
<br />
==Additional Content==<br />
* No related content<br />
<br />
<br />
{{Article Footer|Zimbra Collaboration 8.8.15|07/02/2019}}<br />
{{NeedSME|SME1|SME2|Copyeditor}}</div>
David Bingham