Fix "Weak Cipher Suite" warnings during server startup: Difference between revisions
(Created page with "{{BC|Certified}} __FORCETOC__ <div class="col-md-12 ibox-content"> =Fix Random LockFailException: Too many waiters error= {{KB|{{ZC}}|{{ZCS 8.8}}|||}} ==Problem== The Jetty se...") |
(No difference)
|
Revision as of 15:20, 2 July 2019
Fix Random LockFailException: Too many waiters error
Problem
The Jetty server was upgraded in Zimbra 8.8.15, and results in console warnings during server startup, reporting "Weak cipher suite" for ~20 suites. These are warnings only; there is no security exposure related to their presence.
2019-06-11 11:13:28.576:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11 2019-06-11 11:13:28.606:INFO:oejs.AbstractConnector:main: Started ServerConnector@50ecde95{HTTP/1.1,[http/1.1]}{localhost:8080} 2019-06-11 11:13:28.614:INFO:oejus.SslContextFactory:main: x509=X509@7f086b45(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.616:WARN:oejusS.config:main: No Client EndPointIdentificationAlgorithm configured for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Protocol SSLv2Hello not excluded for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.621:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:8443} 2019-06-11 11:13:28.629:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7071} 2019-06-11 11:13:28.631:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7073} 2019-06-11 11:13:28.637:INFO:oejs.AbstractConnector:main: Started ServerConnector@64ba3208{SSL,[ssl, http/1.1]}{0.0.0.0:7072} 2019-06-11 11:13:28.637:INFO:oejs.Server:main: Started @13379ms
Resolution
The gcf and mcf global config attributes can be modified to exclude the weak ciphers as required. Add or remove those values using zmprov as shown below:
zmprov gcf zimbraSSLExcludeCipherSuites zmprov mcf +zimbraSSLExcludeCipherSuites "^.*_(MD5|SHA|SHA1)$" +zimbraSSLExcludeCipherSuites "^TLS_RSA_.*" zmprov gcf zimbraMailboxdSSLProtocols zmprov mcf -zimbraMailboxdSSLProtocols "SSLv2Hello"
The warnings will no longer appear on subsequent restarts.
Additional Content
- No related content