Difference between revisions of "Security/Collab/logjam"

(Logjam & Zimbra 8.5 8.6)
 
Line 1: Line 1:
 
+
{{BC|Community Sandbox}}
 +
__FORCETOC__
 +
<div class="col-md-12 ibox-content">
 +
= How to fix the Logjam issue in Zimbra Collaboration 8.5 and 8.6 =
 +
{{KB|{{Unsupported}}|{{ZCS 8.6}}|{{ZCS 8.5}}|}}
 
== Logjam & Zimbra 8.5 8.6 ==
 
== Logjam & Zimbra 8.5 8.6 ==
  
Line 32: Line 36:
  
 
--[[User:Managedhosting de|managedhosting.de]] ([[User talk:Managedhosting de|talk]]) 19:49, 29 May 2015 (UTC)
 
--[[User:Managedhosting de|managedhosting.de]] ([[User talk:Managedhosting de|talk]]) 19:49, 29 May 2015 (UTC)
 +
{{Article Footer|Zimbra Collaboration 8.6, 8.5 |06/15/2015}}

Latest revision as of 12:54, 16 July 2015

How to fix the Logjam issue in Zimbra Collaboration 8.5 and 8.6

   KB 21985        Last updated on 2015-07-16  




0.00
(0 votes)

Logjam & Zimbra 8.5 8.6

In order to disable weak DH Ciphers you can configure your ngnix configuration as follows:

  cd /opt/zimbra/conf
  openssl dhparam -out dhparams.pem 2048
  chown zimbra:zimbra dhparams.pem

Now edit

  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

and add

  ssl_dhparam /opt/zimbra/conf/dhparams.pem;

below

 ssl_verify_depth        ${ssl.clientcertdepth.default};

If you don't have set your CipherSuites you can

 zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  

and finally

 zmproxyctl restart

Now you can verify your settings using https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/analyze.html

--managedhosting.de (talk) 19:49, 29 May 2015 (UTC)

Verified Against: Zimbra Collaboration 8.6, 8.5 Date Created: 06/15/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/logjam Date Modified: 2015-07-16



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search