Difference between revisions of "Security/Collab/87"

(Created page with "{{WIP}} {{ZC}} Category: Security {{Article Infobox|{{admin}}| |-style="vertical-align:middle" |  ZCS 8.7 Article  '''ZCS...")
 
m (Proxy: minor readability updates for DH params)
Line 11: Line 11:
 
== Proxy ==
 
== Proxy ==
  
=== dhparam ===
+
=== DH parameters ===
 
Added support for the ssl_dhparam in proxy/nginx.  The default DH parameter size is still 1024 bits.  With the changes from [https://bugzilla.zimbra.com/show_bug.cgi?id=96921 bug 98852], it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
 
Added support for the ssl_dhparam in proxy/nginx.  The default DH parameter size is still 1024 bits.  With the changes from [https://bugzilla.zimbra.com/show_bug.cgi?id=96921 bug 98852], it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).
  
Line 17: Line 17:
 
* http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 
* http://nginx.org/en/docs/http/ngx_http_ssl_module.html#ssl_dhparam
 
* https://www.openssl.org/docs/apps/dhparam.html
 
* https://www.openssl.org/docs/apps/dhparam.html
 +
* https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
 
* http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
 
* http://www.nginxtips.com/hardening-nginx-ssl-tsl-configuration/
  

Revision as of 19:54, 23 April 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

  ZCS 8.7 Article  ZCS 8.7


Security Settings for Zimbra Collaboration 8.7 series

Proxy

DH parameters

Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:

Ciphers

Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):

zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

Mailboxd (Jetty)

Ciphers

Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*


Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2015-04-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search