How to disable SSLv3: Difference between revisions

No edit summary
No edit summary
 
(59 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 8.5}}|}}==How to disable SSLv3==
{{BC|Certified}}
__FORCETOC__
<div class="col-md-12 ibox-content">
=How to disable SSLv3=
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}


Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.
Last Update: '''2:00, 15 January 2015 (UTC)'''


As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
Due to the recent discovery of a new SSLv3 vulnerability ([http://googleonlinesecurity.blogspot.co.uk/2014/10/this-poodle-bites-exploiting-ssl-30.html CVE-2014-3566: Poodle SSLv3]), this protocol has been considered unsafe. This is a protocol flaw and Zimbra will include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.


'''Note''': disabling SSLv3 might prevent older browsers to connect to Zimbra using SSL as they don't support TLS 1.0.
As a workaround, this guide helps show how to disable SSLv3 in Zimbra where possible. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.


=== Postfix (MTA)===
'''Warnings:'''
* The published attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. Attacks via other vectors exist with varying levels of difficulty, and the use of SSLv3 will be deprecated in a future version of ZCS. This document includes  information on how to disable SSLv3 for Postfix (MTA), nginx (POP3-SSL and IMAP-SSL) for customers want to do this now. At the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL (this will be fixed in 8.6.0, ref https://bugzilla.zimbra.com/show_bug.cgi?id=96040). Bug https://bugzilla.zimbra.com/show_bug.cgi?id=96041 is tracking the deprecation of SSLv3 in ZCS.
 
* Disabling SSLv3 might prevent older clients/browsers to connect to Zimbra using SSL as they don't support TLS 1.0. Microsoft Internet Explorer 6 on Windows XP or earlier is known to to require SSLv3 (it does not support TLS1.0, TLS1.1 or TLS1.2): https://en.wikipedia.org/wiki/Transport_Layer_Security#Web_browsers
 
* There may be issues with "Windows Phone 7" [https://en.wikipedia.org/wiki/Windows_Phone_7] requiring SSLv3 (unconfirmed). Most users should already be on Windows Phone 8, as Windows Phone 7 was EOL'd by Microsoft on Oct 14, 2014.


==== 8.5.x ====
* Disabling SSLv3 for POP3-SSL and IMAP-SSL through nginx might prevent a few clients to connect to Zimbra. Windows Phone 7 users are known to have this issue.  This affects users using the Nokia Lumia 710 and Lumia 800 devices.


<pre>zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'</pre>
* Using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA with zimbraSSLExcludeCipherSuites prevents saslauthd (through libcurl) to work properly when it defaults back to TLS. This affects smtpd authentication via zmauth. Please remove it from your list of excluded ciphers with: zmprov mcf -zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA


==== 8.0.x ====
'''Recommendation:'''
* For multi-server installations where only your proxy/MTAs will be exposed do the Internet, it should be enough to only disable SSLv3 at these hosts.


<pre>postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'</pre>
'''Note:'''
We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack [reference: see https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley]. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected. See also: https://community.zimbra.com/support/security/b/weblog/archive/2014/12/11/poodle-revisited


Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
'''Regarding ZCS 8.6.0:'''


Note that smtpd_tls_protocols will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.
By default, SSLv3 is now disabled/deprecated in ZCS 8.6.0, please see the below referenced bug for more information:
*Bug 96041 - "Deprecate use of SSLv3 in the product as a whole" https://bugzilla.zimbra.com/show_bug.cgi?id=96041
*Bug 96171 - "Remove or no longer enable SSLv3 by default in zimbra-attrs.xml" https://bugzilla.zimbra.com/show_bug.cgi?id=96171


=== Nginx (Proxy) ===
=== Nginx (Proxy) ===


==== 8.5.x ====
==== ZCS 8.0.x / 8.5.x ====
Tarballs of the SSL specific Nginx configuration template files have been provided which disables SSLv3 for HTTPS/IMAPS/POP3S. '''Please make a backup of /opt/zimbra/conf/nginx/templates''' prior to proceeding.
 
'''ZCS 8.0.x''' http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz
 
'''ZCS 8.5.0''' http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-850.tgz
 
Installation is the same for both ZCS 8.0.x and 8.5.0, just be sure to download the correct tarball for your ZCS version. To install as root


For https and Admin UI, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template. Include the following line under the server { } configuration:
<pre>
<pre>
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</pre>
cd /opt/zimbra/conf/nginx/templates
curl http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz | tar zxvf -
su - zimbra
zmproxyctl restart
</pre>
 
Alternatively, you can edit each nginx template file separately. For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:
 
/opt/zimbra/conf/nginx/templates/:
nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.default.template (for starttls)
nginx.conf.mail.imap.template (for starttls)
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.default.template (for starttls)
nginx.conf.mail.pop3.template (for starttls)
nginx.conf.mail.template
nginx.conf.web.admin.default.template
nginx.conf.web.admin.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template
 
For example, you will see an "ssl" block in each of these within the server { } section:
 
    ssl                    on;
    ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
    ssl_ciphers            ${web.ssl.ciphers};
    ssl_certificate        ${ssl.crt.default};
    ssl_certificate_key    ${ssl.key.default};
 
Add the following to the end of the ssl section:
 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
The result will look something like this (may vary per file):


Example:
server
<pre>
{
# HTTPS Proxy Default Configuration
    ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
#
    ${core.ipv4only.enabled}listen                ${web.https.port} default;
server
    ${core.ipv6only.enabled}listen                [::]:${web.https.port} default ipv6only=on;
{
    server_name            ${web.server_name.default}.default;
    client_max_body_size    0;
    ssl                    on;
    ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
    ssl_ciphers            ${web.ssl.ciphers};
    ssl_certificate        ${ssl.crt.default};
    ssl_certificate_key    ${ssl.key.default};
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
     ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...
Restart the proxy servers with the following:
zmproxyctl restart
==== ZCS 7.x.y ====
Disabling SSlv3 for ZCS 7 must be performed manually, and is only available for the nginx proxy and postfix. General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform.
For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:
/opt/zimbra/conf/nginx/templates/:
nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.default.template (for starttls)
nginx.conf.mail.imap.template (for starttls)
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.default.template (for starttls)
nginx.conf.mail.pop3.template (for starttls)
nginx.conf.mail.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template
For example, you will see an "ssl" block in each of these within the server { } section:
    ssl                    on;
    ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
    ssl_ciphers            ${web.ssl.ciphers};
    ssl_certificate        ${ssl.crt.default};
    ssl_certificate_key    ${ssl.key.default};
Note that nginx 0.9 is used in ZCS 7, so only the ssl_protocols option "TLSv1" is available. Add the following to the end of the ssl section:
    ssl_protocols TLSv1;
The result will look something like this (may vary per file):
server
{
     ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
     ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
    ${core.ipv4only.enabled}listen                ${web.https.port} default;
    ${core.ipv6only.enabled}listen                [::]:${web.https.port} default ipv6only=on;
    server_name            ${web.server_name.default}.default;
    client_max_body_size    0;
    ssl                    on;
    ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
    ssl_ciphers            ${web.ssl.ciphers};
    ssl_certificate        ${ssl.crt.default};
    ssl_certificate_key    ${ssl.key.default};
    ssl_protocols TLSv1;
...
Restart the proxy servers with the following:
zmproxyctl restart
==== Testing ====
You can run the following command to verify common ports when using the Zimbra proxy (run this at the proxy):
<pre>for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done</pre>
If it shows a failure, it's good and we don't support SSLv3:
<pre>
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
</pre>
If you are seeing:
<pre>
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported
</pre>
SSLv3 is still enabled and you need to verify the changes.


[...]
If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.
 
In alternative, you can test the following ports individually:
<pre>
443 - HTTPS
993 - IMAP-SSL
995 - POP3-SSL
9071 or 7071 - AdminUI SSL
</pre>
</pre>


If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.
with
 
<pre>openssl s_client -connect host.zimbra.com:<port> -ssl3</pre>
 
=== Jetty (mailboxd) ===
 
==== ZCS 8.0.x ====


For imaps and pop3s, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template and /conf/nginx/templates/nginx.conf.mail.imaps.default.template:
* Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL. These templates only disable SSLv3 on https (443 and 7071).
 
We have provided downloadable '''/opt/zimbra/jetty/etc/jetty.xml.in''' file locations for ZCS 8.0.x. Make sure you backup the original jetty.xml.in first.
 
'''ZCS 8.0.0-8.0.2'''
http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in
 
'''ZCS 8.0.3'''
http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in
 
'''ZCS 8.0.4-8.0.6'''
http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in
 
'''ZCS 8.0.7-8.0.8'''
http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in
 
In alternative you can edit the file and find the '''SslSelectChannelConnector''' instances in '''/opt/zimbra/jetty/etc/jetty.xml.in''':


<pre>
<pre>
Example:
$ grep SslSelectChannel jetty.xml.in


# POP3S proxy default configuration
        <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
#
        <New id="ssl-clientcert" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
server
        <New id="admin" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
{
        <New id="admin_local" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
</pre>


[...]
Under each, add the following XML
<pre>
<Get name="SslContextFactory">
  <Set name="ExcludeProtocols">
    <Array type="java.lang.String">
      <Item>SSLv3</Item>
    </Array>
  </Set>
</Get>
</pre>
</pre>


Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start"
Don't forget to do a "zmmailboxdctl restart' to apply the changes.


=== Jetty (mailboxd) ===
==== ZCS 8.5.x ====


* Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL.


Find the '''SslContextFactory''' in '''/opt/zimbra/jetty/etc/jetty.xml.in''' and add this XML:
<pre>
<Set name="ExcludeProtocols">
  <Array type="java.lang.String">
      <Item>SSLv3</Item>
  </Array>
</Set>
</pre>
Do a "zmmailboxdctl restart' to apply the changes.


=== Verifying ===
==== Testing ====


How to verify if the changes have been done? We should run the following command (as zimbra) for every port using SSL:
We should run the following command (as zimbra) for every port using SSL:


<pre>openssl s_client -connect `zmhostname`:<port> -ssl3 |grep failure</pre>
<pre>openssl s_client -connect `zmhostname`:<port> -ssl3</pre>


Example, for port 443:
Example, for port 443:
Line 77: Line 260:
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
</pre>
</pre>
or below (an example with ZCS 8.0.x and Jetty 7.6 w/SSLv3 successfully disabled):
<pre>
CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg  : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413506064
    Timeout  : 7200 (sec)
    Verify return code: 0 (ok)
---
</pre>
If you are seeing:
If you are seeing:
<pre>
<pre>
Line 85: Line 300:
SSLv3 is still enabled and you need to verify the changes.
SSLv3 is still enabled and you need to verify the changes.


Here is a command to verify common ports when using the Zimbra proxy (run this at the proxy):
List of common ports:
<pre>
443 - HTTPS
993 - IMAP-SSL
995 - POP3-SSL
7071 - AdminUI SSL
</pre>
 
=== Postfix (MTA)===
 
'''Warnings:'''
 
* Disabling SSLv3 might prevent [http://en.wikipedia.org/wiki/Comparison_of_email_clients#SSL_and_TLS_support older mail clients] to connect to Zimbra since they might not support TLS. This is important when using the 465 port (SMTP-SSL), where encryption is mandatory (smtpd_tls_mandatory_protocols).
 
 
==== ZCS 8.5.x ====
 
At the MTA server, run (as zimbra):
 
<pre>zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'</pre>
 
'''Run "zmmtactl stop ; zmmtactl start" to force the changes''' on ''zimbraMtaSmtpdTlsProtocols'' or wait for zmconfigd to rewrite Postfix config from LDAP in 1 minute or less.
 
==== ZCS 8.0.x and ZCS 7.x.y ====
 
At the MTA server, run (as zimbra):
 
postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'
 
Note that smtpd_tls_protocols and smtpd_tls_mandatory_protocols will need to be set after every upgrade for 8.0.x or 7.x.y versions.
 
==== Testing STARTTLS on port 25 ====
 
Run openssl, forcing SSLv3:
openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp
 
Confirm that connection is refused with an "ssl handshake failure":


<pre>for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done</pre>
CONNECTED(00000003)
140701008086856:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140701008086856:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:'''ssl handshake failure''':s3_pkt.c:596:
---
SSL handshake has read 220 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg  : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413400965
    Timeout  : 7200 (sec)
    Verify return code: 0 (ok)


If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.
==== Testing SMTP-SSL ====


List of ports:
<pre>timeout 3 openssl s_client -connect mail.example.com:465 -ssl3</pre>
443 - HTTPS
993 - IMAP-SSL
995 - POP3-SSL
9071 - AdminUI SSL


For Postfix, run the following command at the MTA for the SMTP-SSL port (465):
If it shows a failure, it's good and we don't support SSLv3:
<pre>
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
</pre>


<pre>timeout 3 openssl s_client -connect `zmhostname`:465 -ssl3</pre>
{{Article Footer|Zimbra Collaboration Suite 8.6, 8.5, 8.0, 7.0 |10/15/2014}}

Latest revision as of 23:51, 10 July 2015

How to disable SSLv3

   KB 21246        Last updated on 2015-07-10  




0.00
(0 votes)

Last Update: 2:00, 15 January 2015 (UTC)

Due to the recent discovery of a new SSLv3 vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra will include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

As a workaround, this guide helps show how to disable SSLv3 in Zimbra where possible. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.

Warnings:

  • The published attack vector as shown by the researchers works with controlling the plaintext sent to the server using Javascript being run on the victim's machine. Attacks via other vectors exist with varying levels of difficulty, and the use of SSLv3 will be deprecated in a future version of ZCS. This document includes information on how to disable SSLv3 for Postfix (MTA), nginx (POP3-SSL and IMAP-SSL) for customers want to do this now. At the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL (this will be fixed in 8.6.0, ref https://bugzilla.zimbra.com/show_bug.cgi?id=96040). Bug https://bugzilla.zimbra.com/show_bug.cgi?id=96041 is tracking the deprecation of SSLv3 in ZCS.
  • There may be issues with "Windows Phone 7" [1] requiring SSLv3 (unconfirmed). Most users should already be on Windows Phone 8, as Windows Phone 7 was EOL'd by Microsoft on Oct 14, 2014.
  • Disabling SSLv3 for POP3-SSL and IMAP-SSL through nginx might prevent a few clients to connect to Zimbra. Windows Phone 7 users are known to have this issue. This affects users using the Nokia Lumia 710 and Lumia 800 devices.
  • Using TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA with zimbraSSLExcludeCipherSuites prevents saslauthd (through libcurl) to work properly when it defaults back to TLS. This affects smtpd authentication via zmauth. Please remove it from your list of excluded ciphers with: zmprov mcf -zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA

Recommendation:

  • For multi-server installations where only your proxy/MTAs will be exposed do the Internet, it should be enough to only disable SSLv3 at these hosts.

Note: We have received a few inquiries about the reported TLS protocol vulnerability via the POODLE attack [reference: see https://www.imperialviolet.org/2014/12/08/poodleagain.html by Adam Langley]. SSL/TLS services in ZCS come from OpenSSL and Java. This vulnerability does not affect OpenSSL (ref: http://www.mail-archive.com/openssl-users@openssl.org/msg75804.html) and Java is not known to be affected. See also: https://community.zimbra.com/support/security/b/weblog/archive/2014/12/11/poodle-revisited

Regarding ZCS 8.6.0:

By default, SSLv3 is now disabled/deprecated in ZCS 8.6.0, please see the below referenced bug for more information:

Nginx (Proxy)

ZCS 8.0.x / 8.5.x

Tarballs of the SSL specific Nginx configuration template files have been provided which disables SSLv3 for HTTPS/IMAPS/POP3S. Please make a backup of /opt/zimbra/conf/nginx/templates prior to proceeding.

ZCS 8.0.x http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz

ZCS 8.5.0 http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-850.tgz

Installation is the same for both ZCS 8.0.x and 8.5.0, just be sure to download the correct tarball for your ZCS version. To install as root

 cd /opt/zimbra/conf/nginx/templates
 curl http://files.zimbra.com/downloads/support/bug95976/nginx/nginx-ssl-templates-80x.tgz | tar zxvf -
 su - zimbra
 zmproxyctl restart

Alternatively, you can edit each nginx template file separately. For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:

/opt/zimbra/conf/nginx/templates/:

nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.default.template (for starttls)
nginx.conf.mail.imap.template (for starttls)
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.default.template (for starttls)
nginx.conf.mail.pop3.template (for starttls)
nginx.conf.mail.template
nginx.conf.web.admin.default.template
nginx.conf.web.admin.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template

For example, you will see an "ssl" block in each of these within the server { } section:

   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};

Add the following to the end of the ssl section:

   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

The result will look something like this (may vary per file):

server
{
   ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
   ${core.ipv4only.enabled}listen                ${web.https.port} default;
   ${core.ipv6only.enabled}listen                [::]:${web.https.port} default ipv6only=on;
   server_name             ${web.server_name.default}.default;
   client_max_body_size    0;
   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
...

Restart the proxy servers with the following:

zmproxyctl restart

ZCS 7.x.y

Disabling SSlv3 for ZCS 7 must be performed manually, and is only available for the nginx proxy and postfix. General recommendation is to use the nginx proxy on all ZCS sites, even single-server platform.

For all nginx templates in /opt/zimbra/conf/nginx/templates/ that use SSL, set the ssl_protocols option:

/opt/zimbra/conf/nginx/templates/:

nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.default.template (for starttls)
nginx.conf.mail.imap.template (for starttls)
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.default.template (for starttls)
nginx.conf.mail.pop3.template (for starttls)
nginx.conf.mail.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template

For example, you will see an "ssl" block in each of these within the server { } section:

   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};

Note that nginx 0.9 is used in ZCS 7, so only the ssl_protocols option "TLSv1" is available. Add the following to the end of the ssl section:

   ssl_protocols TLSv1;

The result will look something like this (may vary per file):

server
{
   ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;
   ${core.ipv4only.enabled}listen                ${web.https.port} default;
   ${core.ipv6only.enabled}listen                [::]:${web.https.port} default ipv6only=on;
   server_name             ${web.server_name.default}.default;
   client_max_body_size    0;
   ssl                     on;
   ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
   ssl_ciphers             ${web.ssl.ciphers};
   ssl_certificate         ${ssl.crt.default};
   ssl_certificate_key     ${ssl.key.default};
   ssl_protocols TLSv1;
...

Restart the proxy servers with the following:

zmproxyctl restart

Testing

You can run the following command to verify common ports when using the Zimbra proxy (run this at the proxy):

for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done

If it shows a failure, it's good and we don't support SSLv3:

140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

If you are seeing:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported

SSLv3 is still enabled and you need to verify the changes.

If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.

In alternative, you can test the following ports individually:

443 - HTTPS
993 - IMAP-SSL
995 - POP3-SSL
9071 or 7071 - AdminUI SSL

with

openssl s_client -connect host.zimbra.com:<port> -ssl3

Jetty (mailboxd)

ZCS 8.0.x

  • Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL. These templates only disable SSLv3 on https (443 and 7071).

We have provided downloadable /opt/zimbra/jetty/etc/jetty.xml.in file locations for ZCS 8.0.x. Make sure you backup the original jetty.xml.in first.

ZCS 8.0.0-8.0.2 http://files.zimbra.com/downloads/support/bug95976/jetty/800-802/jetty.xml.in

ZCS 8.0.3 http://files.zimbra.com/downloads/support/bug95976/jetty/803/jetty.xml.in

ZCS 8.0.4-8.0.6 http://files.zimbra.com/downloads/support/bug95976/jetty/804-806/jetty.xml.in

ZCS 8.0.7-8.0.8 http://files.zimbra.com/downloads/support/bug95976/jetty/807-808/jetty.xml.in

In alternative you can edit the file and find the SslSelectChannelConnector instances in /opt/zimbra/jetty/etc/jetty.xml.in:

$ grep SslSelectChannel jetty.xml.in

        <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="ssl-clientcert" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="admin" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
        <New id="admin_local" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">

Under each, add the following XML

<Get name="SslContextFactory">
  <Set name="ExcludeProtocols">
    <Array type="java.lang.String">
      <Item>SSLv3</Item>
    </Array>
  </Set>
</Get>

Don't forget to do a "zmmailboxdctl restart' to apply the changes.

ZCS 8.5.x

  • Note: at the moment, it's not possible to disable SSLv3 with mailboxd (Jetty) for POP3-SSL and IMAP-SSL.

Find the SslContextFactory in /opt/zimbra/jetty/etc/jetty.xml.in and add this XML:

<Set name="ExcludeProtocols">
  <Array type="java.lang.String">
       <Item>SSLv3</Item>
  </Array>
</Set>

Do a "zmmailboxdctl restart' to apply the changes.

Testing

We should run the following command (as zimbra) for every port using SSL:

openssl s_client -connect `zmhostname`:<port> -ssl3

Example, for port 443:

openssl s_client -connect `zmhostname`:443 -ssl3

If it shows a failure, it's good and we don't support SSLv3:

140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

or below (an example with ZCS 8.0.x and Jetty 7.6 w/SSLv3 successfully disabled):

CONNECTED(00000003)
write:errno=104
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : SSLv3
    Cipher    : 0000
    Session-ID:
    Session-ID-ctx:
    Master-Key:
    Key-Arg   : None
    Krb5 Principal: None
    PSK identity: None
    PSK identity hint: None
    Start Time: 1413506064
    Timeout   : 7200 (sec)
    Verify return code: 0 (ok)
---

If you are seeing:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported

SSLv3 is still enabled and you need to verify the changes.

List of common ports:

443 - HTTPS
993 - IMAP-SSL
995 - POP3-SSL
7071 - AdminUI SSL

Postfix (MTA)

Warnings:

  • Disabling SSLv3 might prevent older mail clients to connect to Zimbra since they might not support TLS. This is important when using the 465 port (SMTP-SSL), where encryption is mandatory (smtpd_tls_mandatory_protocols).


ZCS 8.5.x

At the MTA server, run (as zimbra):

zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3'

Run "zmmtactl stop ; zmmtactl start" to force the changes on zimbraMtaSmtpdTlsProtocols or wait for zmconfigd to rewrite Postfix config from LDAP in 1 minute or less.

ZCS 8.0.x and ZCS 7.x.y

At the MTA server, run (as zimbra):

postconf -e smtpd_tls_protocols='!SSLv2,!SSLv3'
postconf -e smtpd_tls_mandatory_protocols='!SSLv2,!SSLv3'

Note that smtpd_tls_protocols and smtpd_tls_mandatory_protocols will need to be set after every upgrade for 8.0.x or 7.x.y versions.

Testing STARTTLS on port 25

Run openssl, forcing SSLv3:

openssl s_client -connect mail.example.com:25 -ssl3 -starttls smtp

Confirm that connection is refused with an "ssl handshake failure":

CONNECTED(00000003)
140701008086856:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1257:SSL alert number 40
140701008086856:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:596:
---
SSL handshake has read 220 bytes and written 0 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
   Protocol  : SSLv3
   Cipher    : 0000
   Session-ID:
   Session-ID-ctx:
   Master-Key:
   Key-Arg   : None
   Krb5 Principal: None
   PSK identity: None
   PSK identity hint: None
   Start Time: 1413400965
   Timeout   : 7200 (sec)
   Verify return code: 0 (ok)

Testing SMTP-SSL

timeout 3 openssl s_client -connect mail.example.com:465 -ssl3

If it shows a failure, it's good and we don't support SSLv3:

140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
Verified Against: Zimbra Collaboration Suite 8.6, 8.5, 8.0, 7.0 Date Created: 10/15/2014
Article ID: https://wiki.zimbra.com/index.php?title=How_to_disable_SSLv3 Date Modified: 2015-07-10



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search