Security/Collab/logjam

Revision as of 19:49, 29 May 2015 by Managedhosting de (talk | contribs) (Configure Zimbra Proxy nginx to avoid weak DH Ciphers / Logjam)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Logjam & Zimbra 8.5 8.6

In order to disable weak DH Ciphers you can configure your ngnix configuration as follows:

  cd /opt/zimbra/conf
  openssl dhparam -out dhparams.pem 2048
  chown zimbra:zimbra dhparams.pem

No edit

  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

and add

  ssl_dhparam /opt/zimbra/conf/dhparams.pem;

below

 ssl_verify_depth        ${ssl.clientcertdepth.default};

If you don't have set your CipherSuites you can

 zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  

and finally

 zmproxyctl restart

Now you can verify your settings using https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/analyze.html

--managedhosting.de (talk) 19:49, 29 May 2015 (UTC)

Jump to: navigation, search