Difference between revisions of "Security/Collab/logjam"

(Configure Zimbra Proxy nginx to avoid weak DH Ciphers / Logjam)
 
(Logjam & Zimbra 8.5 8.6)
Line 8: Line 8:
 
   chown zimbra:zimbra dhparams.pem
 
   chown zimbra:zimbra dhparams.pem
  
No edit  
+
Now edit  
  
 
   /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 
   /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

Revision as of 19:50, 29 May 2015

Logjam & Zimbra 8.5 8.6

In order to disable weak DH Ciphers you can configure your ngnix configuration as follows:

  cd /opt/zimbra/conf
  openssl dhparam -out dhparams.pem 2048
  chown zimbra:zimbra dhparams.pem

Now edit

  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

and add

  ssl_dhparam /opt/zimbra/conf/dhparams.pem;

below

 ssl_verify_depth        ${ssl.clientcertdepth.default};

If you don't have set your CipherSuites you can

 zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  

and finally

 zmproxyctl restart

Now you can verify your settings using https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/analyze.html

--managedhosting.de (talk) 19:49, 29 May 2015 (UTC)

Jump to: navigation, search