How to disable SSLv3: Difference between revisions
No edit summary |
No edit summary |
||
Line 26: | Line 26: | ||
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES' | zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES' | ||
=== 8.0.x === | ==== 8.0.x ==== | ||
zmlocalconfig -e smtpd_tls_ciphers=high | zmlocalconfig -e smtpd_tls_ciphers=high | ||
Line 36: | Line 36: | ||
Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous. | Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous. | ||
=== Nginx === | |||
==== 8.5.x ==== | |||
For https and Admin UI: | |||
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template | |||
and include the following line under the servers { } configuration: | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
Example: | |||
# HTTPS Proxy Default Configuration | |||
# | |||
server | |||
{ | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
${core.ipboth.enabled}listen [::]:${web.https.port} default; | |||
[...] | |||
Apply the same change at /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template | |||
If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template. | |||
For imaps and pop3s: | |||
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template | |||
Example: | |||
# POP3S proxy default configuration | |||
# | |||
server | |||
{ | |||
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |||
[...] | |||
Apply the same change at /conf/nginx/templates/nginx.conf.mail.imaps.default.template | |||
Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start" |
Revision as of 18:01, 15 October 2014
Article Information |
---|
This article applies to the following ZCS versions. |
How to disable SSLv3
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976.
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
Postfix
8.5.x
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'
8.0.x
postconf -e smtpd_tls_protocols=\!SSLv3
Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
If you are already disabling ciphers by following http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS, please also include SSLv3:
8.5.x
zmprov mcf zimbraMtaSmtpdTlsCiphers high zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2' zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
8.0.x
zmlocalconfig -e smtpd_tls_ciphers=high postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2 zmlocalconfig -e smtpd_tls_mandatory_ciphers=high postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
Run "zmmtactl stop ; zmmtactl start" to apply the changes.
Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.
Nginx
8.5.x
For https and Admin UI:
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
and include the following line under the servers { } configuration:
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Example:
- HTTPS Proxy Default Configuration
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ${core.ipboth.enabled}listen [::]:${web.https.port} default;
[...]
Apply the same change at /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.
For imaps and pop3s:
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template
Example:
- POP3S proxy default configuration
server {
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
[...]
Apply the same change at /conf/nginx/templates/nginx.conf.mail.imaps.default.template
Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start"