Fix "Weak Cipher Suite" warnings during server startup
Fix "Weak Cipher Suite" warnings during server startup
Problem
The Jetty server was upgraded in Zimbra 8.8.15, and results in console warnings during server startup, reporting "Weak cipher suite" for ~20 suites. These are warnings only; there is no security exposure related to their presence.
2019-06-11 11:13:28.576:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11 2019-06-11 11:13:28.606:INFO:oejs.AbstractConnector:main: Started ServerConnector@50ecde95{HTTP/1.1,[http/1.1]}{localhost:8080} 2019-06-11 11:13:28.614:INFO:oejus.SslContextFactory:main: x509=X509@7f086b45(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.616:WARN:oejusS.config:main: No Client EndPointIdentificationAlgorithm configured for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Protocol SSLv2Hello not excluded for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null] 2019-06-11 11:13:28.621:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:8443} 2019-06-11 11:13:28.629:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7071} 2019-06-11 11:13:28.631:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7073} 2019-06-11 11:13:28.637:INFO:oejs.AbstractConnector:main: Started ServerConnector@64ba3208{SSL,[ssl, http/1.1]}{0.0.0.0:7072} 2019-06-11 11:13:28.637:INFO:oejs.Server:main: Started @13379ms
Resolution
The gcf and mcf global config attributes can be modified to exclude the weak ciphers as required. Add or remove those values using zmprov as shown below:
zmprov gcf zimbraSSLExcludeCipherSuites zmprov mcf +zimbraSSLExcludeCipherSuites "^.*_(MD5|SHA|SHA1)$" +zimbraSSLExcludeCipherSuites "^TLS_RSA_.*" zmprov gcf zimbraMailboxdSSLProtocols zmprov mcf -zimbraMailboxdSSLProtocols "SSLv2Hello"
The warnings will no longer appear on subsequent restarts.
Additional Content
- No related content