Difference between revisions of "Security/Collab/87"
(Created page with "{{WIP}} {{ZC}} Category: Security {{Article Infobox|{{admin}}| |-style="vertical-align:middle" | ZCS 8.7 Article '''ZCS...") |
m (→Proxy: minor readability updates for DH params) |
||
| Line 11: | Line 11: | ||
== Proxy == | == Proxy == | ||
| − | === | + | === DH parameters === |
Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from [https://bugzilla.zimbra.com/show_bug.cgi?id=96921 bug 98852], it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh). | Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from [https://bugzilla.zimbra.com/show_bug.cgi?id=96921 bug 98852], it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh). | ||
| Line 17: | Line 17: | ||
* http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam | * http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam | ||
* https://www.openssl.org/docs/apps/dhparam.html | * https://www.openssl.org/docs/apps/dhparam.html | ||
| + | * https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange | ||
* http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/ | * http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/ | ||
Revision as of 19:54, 23 April 2015
- This article is a Work in Progress, and may be unfinished or missing sections.
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only. Article Information |
|---|
| This article applies to the following ZCS versions.
|
Security Settings for Zimbra Collaboration 8.7 series
Proxy
DH parameters
Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
See also:
- http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
- https://www.openssl.org/docs/apps/dhparam.html
- https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
- http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
Ciphers
Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4
Mailboxd (Jetty)
Ciphers
Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):
zimbraSSLExcludeCipherSuites: .*_RC4_.*
