Difference between revisions of "Security/Collab/logjam"
(Configure Zimbra Proxy nginx to avoid weak DH Ciphers / Logjam) |
(→Logjam & Zimbra 8.5 8.6) |
||
Line 8: | Line 8: | ||
chown zimbra:zimbra dhparams.pem | chown zimbra:zimbra dhparams.pem | ||
− | + | Now edit | |
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template | /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template |
Revision as of 19:50, 29 May 2015
Logjam & Zimbra 8.5 8.6
In order to disable weak DH Ciphers you can configure your ngnix configuration as follows:
cd /opt/zimbra/conf openssl dhparam -out dhparams.pem 2048 chown zimbra:zimbra dhparams.pem
Now edit
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
and add
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
below
ssl_verify_depth ${ssl.clientcertdepth.default};
If you don't have set your CipherSuites you can
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
and finally
zmproxyctl restart
Now you can verify your settings using https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/analyze.html
--managedhosting.de (talk) 19:49, 29 May 2015 (UTC)