Difference between revisions of "How to disable SSLv3"

(ZCS 8.0.x)
(ZCS 8.0.x)
Line 159: Line 159:
 
==== ZCS 8.0.x ====
 
==== ZCS 8.0.x ====
  
Find the '''SslSelectChannelConnector''' instances in '''/opt/zimbra/jetty/etc/jetty.xml.in''':
+
We have provided downloadable '''/opt/zimbra/jetty/etc/jetty.xml.in''' file locations for IRONMAIDEN. Make sure you backup the original jetty.xml.in first.
 +
 
 +
'''ZCS 8.0.0-8.0.2'''
 +
http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in
 +
 
 +
'''ZCS 8.0.3'''
 +
http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in
 +
 
 +
'''ZCS 8.0.4-8.0.6'''
 +
http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in
 +
 
 +
'''ZCS 8.0.7-8.0.8'''
 +
http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in
 +
 
 +
In alternative you can edit the file and find the '''SslSelectChannelConnector''' instances in '''/opt/zimbra/jetty/etc/jetty.xml.in''':
  
 
<pre>
 
<pre>
Line 181: Line 195:
 
</pre>
 
</pre>
  
In alternative, we have provided downloadable jetty.xml.in file locations for IRONMAIDEN:
+
Don't forget to do a "zmmailboxdctl restart' to apply the changes.
 
 
'''ZCS 8.0.0-8.0.2'''
 
http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in
 
 
 
'''ZCS 8.0.3'''
 
http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in
 
 
 
'''ZCS 8.0.4-8.0.6'''
 
http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in
 
 
 
'''ZCS 8.0.7-8.0.8'''
 
http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in
 
 
 
Backup jetty.xml.in and replace the file. Do a "zmmailboxdctl restart' to apply the changes.
 
  
 
==== ZCS 8.5.x ====
 
==== ZCS 8.5.x ====

Revision as of 20:40, 15 October 2014

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0 ZCS 8.5 Article ZCS 8.5

How to disable SSLv3

Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.

Note: disabling SSLv3 might prevent older browsers to connect to Zimbra using SSL as they don't support TLS 1.0.

Postfix (MTA)

ZCS 8.5.x

zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'

ZCS 8.0.x

At the MTA server, run:

postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'

Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.

Note that smtpd_tls_protocols will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Testing Postfix STARTTLS

Run openssl, forcing SSLv3:

openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp

Confirm that connection is refused with an "ssl handshake failure":

CONNECTED(00000003)
140701008086856:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140701008086856:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
SSL handshake has read 220 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : SSLv3
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   Krb5 Principal: None
   PSK identity: None
   PSK identity hint: None
   Start Time: 1413400965
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)

Testing Postfix SMTP-SSL

timeout 3 openssl s_client -connect mail.example.com:465 -ssl3

If it shows a failure, it's good and we don't support SSLv3:

140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

Nginx (Proxy)

ZCS 8.5.x

For https and Admin UI, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template. Include the following line under the server { } configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Example:

# HTTPS Proxy Default Configuration
#
server
{
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;

[...]

If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.

For imaps and pop3s, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template and /conf/nginx/templates/nginx.conf.mail.imaps.default.template:

Example:

# POP3S proxy default configuration
#
server
{
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

[...]

Restart the proxy servers with the following:

zmproxyctl restart

ZCS 8.0.x

For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:

/opt/zimbra/conf/nginx/templates/:

nginx.conf.mail.imap.default.template
nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.template
nginx.conf.mail.pop3.default.template
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.template
nginx.conf.web.admin.default.template
nginx.conf.web.admin.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template

For example, you will see an "ssl" block in each of these within the server { } section:

   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};

Add the following to the end of the ssl section:

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

The result will look something like this (may vary per file):

server
{
   ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
   ${core.ipv4only.enabled}listen                ${web.https.port} default;
   ${core.ipv6only.enabled}listen                [::]:${web.https.port} default ipv6only=on;
   server_name             ${web.server_name.default}.default;
   client_max_body_size    0;
   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...

Restart the proxy servers with the following:

zmproxyctl restart

Jetty (mailboxd)

ZCS 8.0.x

We have provided downloadable /opt/zimbra/jetty/etc/jetty.xml.in file locations for IRONMAIDEN. Make sure you backup the original jetty.xml.in first.

ZCS 8.0.0-8.0.2 http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in

ZCS 8.0.3 http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in

ZCS 8.0.4-8.0.6 http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in

ZCS 8.0.7-8.0.8 http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in

In alternative you can edit the file and find the SslSelectChannelConnector instances in /opt/zimbra/jetty/etc/jetty.xml.in:

$ grep SslSelectChannel jetty.xml.in

        <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="ssl-clientcert" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="admin" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="admin_local" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

Under each, add the following XML

<Get name="SslContextFactory">
  <Set name="ExcludeProtocols">
    <Array type="java.lang.String">
      <Item>SSLv3</Item>
    </Array>
  </Set>
</Get>

Don't forget to do a "zmmailboxdctl restart' to apply the changes.

ZCS 8.5.x

Verifying

How to verify if the changes have been done? We should run the following command (as zimbra) for every port using SSL:

openssl s_client -connect `zmhostname`:<port> -ssl3 |grep failure

Example, for port 443:

openssl s_client -connect `zmhostname`:443 -ssl3

If it shows a failure, it's good and we don't support SSLv3:

140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

If you are seeing:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported

SSLv3 is still enabled and you need to verify the changes.

Here is a command to verify common ports when using the Zimbra proxy (run this at the proxy):

for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done

If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.

List of ports: 443 - HTTPS 993 - IMAP-SSL 995 - POP3-SSL 9071 - AdminUI SSL

Jump to: navigation, search