Difference between revisions of "How to disable SSLv3"

(Created page with "Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), SSLv3 has been considered unsafe. This is a protocol flaw and Zimbra might include patche...")
 
Line 1: Line 1:
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), SSLv3 has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases.  
+
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976.
  
 
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
 
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
 +
 +
== Postfix ==
 +
 +
=== 8.5.x ===
 +
 +
<nowiki>zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'</nowiki>
 +
 +
=== 8.0.x ===
 +
 +
postconf -e smtpd_tls_protocols=\!SSLv3
 +
 +
Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
 +
 +
If you are already disabling ciphers by following http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS, please also include SSLv3:
 +
 +
=== 8.5.x ===
 +
 +
zmprov mcf zimbraMtaSmtpdTlsCiphers high
 +
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2'
 +
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
 +
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
 +
 +
=== 8.0.x ===
 +
 +
zmlocalconfig -e smtpd_tls_ciphers=high
 +
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2
 +
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 +
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 +
 +
Run "zmmtactl stop ; zmmtactl start" to apply the changes.
 +
 +
Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Revision as of 17:52, 15 October 2014

Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976.

As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.

Postfix

8.5.x

zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'

8.0.x

postconf -e smtpd_tls_protocols=\!SSLv3

Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.

If you are already disabling ciphers by following http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS, please also include SSLv3:

8.5.x

zmprov mcf zimbraMtaSmtpdTlsCiphers high zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2' zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

8.0.x

zmlocalconfig -e smtpd_tls_ciphers=high postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2 zmlocalconfig -e smtpd_tls_mandatory_ciphers=high postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

Run "zmmtactl stop ; zmmtactl start" to apply the changes.

Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Jump to: navigation, search