Difference between revisions of "How to disable SSLv3"

Line 1: Line 1:
 
{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 8.5}}|}}==How to disable SSLv3==
 
{{Article Infobox|{{admin}}|{{ZCS 8.0}}|{{ZCS 8.5}}|}}==How to disable SSLv3==
  
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976.
+
Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.
  
 
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
 
As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.
Line 9: Line 9:
 
==== 8.5.x ====
 
==== 8.5.x ====
  
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'
+
<pre>zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'</pre>
  
 
==== 8.0.x ====
 
==== 8.0.x ====
  
postconf -e smtpd_tls_protocols=\!SSLv3
+
<pre>postconf -e smtpd_tls_protocols=\!SSLv3</pre>
  
 
Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
 
Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.
Line 20: Line 20:
  
 
==== 8.5.x ====
 
==== 8.5.x ====
 
+
<pre>
 
zmprov mcf zimbraMtaSmtpdTlsCiphers high
 
zmprov mcf zimbraMtaSmtpdTlsCiphers high
 
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2'
 
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2'
 
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
 
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
 
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
 
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'
 
+
</pre>
 
==== 8.0.x ====
 
==== 8.0.x ====
 
+
<pre>
 
zmlocalconfig -e smtpd_tls_ciphers=high
 
zmlocalconfig -e smtpd_tls_ciphers=high
 
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2
 
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2
 
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
 
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES
 
+
</pre>
 
Run "zmmtactl stop ; zmmtactl start" to apply the changes.
 
Run "zmmtactl stop ; zmmtactl start" to apply the changes.
  
Line 41: Line 41:
 
==== 8.5.x ====
 
==== 8.5.x ====
  
For https and Admin UI:
+
For https and Admin UI, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template and include the following line under the server { } configuration:
 
+
<pre>
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
+
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;</pre>
 
 
and include the following line under the servers { } configuration:
 
 
 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 
  
 
Example:
 
Example:
 
+
<pre>
 
# HTTPS Proxy Default Configuration
 
# HTTPS Proxy Default Configuration
 
#
 
#
Line 59: Line 55:
  
 
[...]
 
[...]
 
+
</pre>
Apply the same change at /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template
 
  
 
If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.
 
If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.
  
For imaps and pop3s:
+
For imaps and pop3s, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template and /conf/nginx/templates/nginx.conf.mail.imaps.default.template:
 
 
Please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template
 
  
 +
<pre>
 
Example:
 
Example:
  
Line 77: Line 71:
  
 
[...]
 
[...]
 
+
</pre>
Apply the same change at /conf/nginx/templates/nginx.conf.mail.imaps.default.template
 
  
 
Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start"
 
Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start"
Line 90: Line 83:
 
How to verify if the changes have been done? We should run the following command (as zimbra) for every port using SSL:
 
How to verify if the changes have been done? We should run the following command (as zimbra) for every port using SSL:
  
openssl s_client -connect `zmhostname`:<port> -ssl3 |grep failure
+
<pre>openssl s_client -connect `zmhostname`:<port> -ssl3 |grep failure</pre>
  
 
Example, for port 443:
 
Example, for port 443:
openssl s_client -connect `zmhostname`:443 -ssl3
+
<pre>openssl s_client -connect `zmhostname`:443 -ssl3<pre>
  
 
If it shows a failure, it's good and we don't support SSLv3:
 
If it shows a failure, it's good and we don't support SSLv3:
 
+
<pre>
 
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
 
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
 
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
 
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
 
+
</pre>
 
If you are seeing:
 
If you are seeing:
 
+
<pre>
 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
 
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
 
Server public key is 2048 bit
 
Server public key is 2048 bit
 
Secure Renegotiation IS supported
 
Secure Renegotiation IS supported
 
+
</pre>
 
SSLv3 is still enabled and you need to verify the changes.
 
SSLv3 is still enabled and you need to verify the changes.
  
 
Here is a command to verify common ports when using the Zimbra proxy (run this at the proxy):
 
Here is a command to verify common ports when using the Zimbra proxy (run this at the proxy):
  
for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done
+
<pre>for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done</pre>
  
 
If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.
 
If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.
Line 122: Line 115:
 
For Postfix, run the following command at the MTA for the SMTP-SSL port (465):
 
For Postfix, run the following command at the MTA for the SMTP-SSL port (465):
  
timeout 3 openssl s_client -connect `zmhostname`:465 -ssl3
+
<pre>timeout 3 openssl s_client -connect `zmhostname`:465 -ssl3</pre>

Revision as of 18:52, 15 October 2014

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.0 Article ZCS 8.0 ZCS 8.5 Article ZCS 8.5

How to disable SSLv3

Due to the recent discovery of a new SSL vulnerability (CVE-2014-3566: Poodle SSLv3), this protocol has been considered unsafe. This is a protocol flaw and Zimbra might include patches or configuration changes in future releases. Please check existing Bug https://bugzilla.zimbra.com/show_bug.cgi?id=95976 for more information.

As a workaround, this guide will help you on how to disable SSLv3 with Zimbra. This has been tested on both ZCS 8.0.8 and 8.5.0 releases.

Postfix

8.5.x

zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3'

8.0.x

postconf -e smtpd_tls_protocols=\!SSLv3

Run "zmmtactl stop ; zmmtactl start" to force the changes or wait for mailboxd to rewrite Postfix config from LDAP after 2 minutes.

If you are already disabling ciphers by following http://wiki.zimbra.com/wiki/Postfix_PCI_Compliance_in_ZCS, please also include SSLv3:

8.5.x

zmprov mcf zimbraMtaSmtpdTlsCiphers high
zmprov mcf zimbraMtaSmtpdTlsProtocols '\!SSLv3,\!SSLv2,TLSv1,TLSv2'
zmprov mcf zimbraMtaSmtpdTlsMandatoryCiphers high
zmprov mcf zimbraMtaSmtpdTlsExcludeCiphers 'aNULL,MD5,DES'

8.0.x

zmlocalconfig -e smtpd_tls_ciphers=high
postconf -e smtpd_tls_protocols=\!SSLv3,\!SSLv2,TLSv1,TLSv2
zmlocalconfig -e smtpd_tls_mandatory_ciphers=high
postconf -e smtpd_tls_exclude_ciphers=aNULL,MD5,DES

Run "zmmtactl stop ; zmmtactl start" to apply the changes.

Note that smtpd_tls_protocols and smtpd_tls_exclude_ciphers will need to be set after every upgrade as there is no way to preserve them in ZCS 8.0 and previous.

Nginx

8.5.x

For https and Admin UI, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and /opt/zimbra/conf/nginx/templates/nginx.conf.web.admin.default.template and include the following line under the server { } configuration:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

Example:

# HTTPS Proxy Default Configuration
#
server
{
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ${core.ipboth.enabled}listen                  [::]:${web.https.port} default;

[...]

If you are using SSO with Client certificates, also edit /opt/zimbra/conf/nginx/templates/nginx.conf.web.sso.default.template.

For imaps and pop3s, please edit /opt/zimbra/conf/nginx/templates/nginx.conf.mail.pop3s.default.template and /conf/nginx/templates/nginx.conf.mail.imaps.default.template:

Example:

# POP3S proxy default configuration
#
server
{
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

[...]

Restart the proxy servers with: "zmproxyctl stop ; zmproxyctl start"

Jetty (mailboxd)

Verifying

How to verify if the changes have been done? We should run the following command (as zimbra) for every port using SSL:

openssl s_client -connect `zmhostname`:<port> -ssl3 |grep failure

Example, for port 443:

openssl s_client -connect `zmhostname`:443 -ssl3<pre>

If it shows a failure, it's good and we don't support SSLv3:
<pre>
140532971947680:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140532971947680:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:

If you are seeing:

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES128-SHA
Server public key is 2048 bit
Secure Renegotiation IS supported

SSLv3 is still enabled and you need to verify the changes.

Here is a command to verify common ports when using the Zimbra proxy (run this at the proxy):

for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done

If you are proxying adminUI, please add port 9071, 7071 or the port you have configured. If you are proxying SSO requests, please add port 3443.

List of ports: 443 - HTTPS 993 - IMAP-SSL 995 - POP3-SSL 9071 - AdminUI SSL

For Postfix, run the following command at the MTA for the SMTP-SSL port (465):

timeout 3 openssl s_client -connect `zmhostname`:465 -ssl3
Jump to: navigation, search