Fix "Weak Cipher Suite" warnings during server startup

Revision as of 10:17, 1 November 2019 by Shanxt (talk | contribs) (→‎Resolution)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Fix "Weak Cipher Suite" warnings during server startup

   KB 23863        Last updated on 2019-11-1  




0.00
(0 votes)

Problem

The Jetty server was upgraded in Zimbra 8.8.15, and results in console warnings during server startup, reporting "Weak cipher suite" for ~20 suites. These are warnings only; there is no security exposure related to their presence.

2019-06-11 11:13:28.576:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11
2019-06-11 11:13:28.606:INFO:oejs.AbstractConnector:main: Started ServerConnector@50ecde95{HTTP/1.1,[http/1.1]}{localhost:8080}
2019-06-11 11:13:28.614:INFO:oejus.SslContextFactory:main: x509=X509@7f086b45(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.616:WARN:oejusS.config:main: No Client EndPointIdentificationAlgorithm configured for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Protocol SSLv2Hello not excluded for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.621:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2019-06-11 11:13:28.629:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7071}
2019-06-11 11:13:28.631:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7073}
2019-06-11 11:13:28.637:INFO:oejs.AbstractConnector:main: Started ServerConnector@64ba3208{SSL,[ssl, http/1.1]}{0.0.0.0:7072}
2019-06-11 11:13:28.637:INFO:oejs.Server:main: Started @13379ms

 

Resolution

Please apply this only if commercial certificates are being used across the entire environment. This may break communication between the proxy and mailbox server if self-signed certificates are used, or a mix of self-signed and commercial is being used.

The gcf and mcf global config attributes can be modified to exclude the weak ciphers as required. Add or remove those values using zmprov as shown below:

zmprov gcf zimbraSSLExcludeCipherSuites
zmprov mcf +zimbraSSLExcludeCipherSuites "^.*_(MD5|SHA|SHA1)$"  +zimbraSSLExcludeCipherSuites "^TLS_RSA_.*"
zmprov gcf zimbraMailboxdSSLProtocols
zmprov mcf -zimbraMailboxdSSLProtocols "SSLv2Hello"

The warnings will no longer appear on subsequent restarts.

Additional Content

  • No related content


Verified Against: Zimbra Collaboration 8.8.15 Date Created: 07/02/2019
Article ID: https://wiki.zimbra.com/index.php?title=Fix_%22Weak_Cipher_Suite%22_warnings_during_server_startup Date Modified: 2019-11-01



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Shanxt
Jump to: navigation, search