Disable DH 1024

How to change the Diffie Hellman key size?

   KB 24489        Last updated on 2024-04-20  




0.00
(0 votes)

Mailbox Level

Problem

Updating "zimbraSSLDHParam" affects at proxy level only. In case you want steps to configure the proxy and other Internet facing services read: https://wiki.zimbra.com/wiki/Cipher_suites. In below article you find steps on how to update diffie helman (DH) key size at mailbox level.

Solution

By adding "jdk.tls.ephemeralDHKeySize" into the mailboxd_java_options DH key size can be changed (or disable weak DH 1024) at mailbox level.

Notes:

These commands are restricted to run on mailbox servers only.

JDK 17 supports max key size value 2048.

Step 1:

Get existing value of the mailboxd_java_options.
Example:
$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1.2 -Djdk.tls.client.protocols=TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED

Step 2:

Add "-Djdk.tls.ephemeralDHKeySize=2048" to mailboxd_java_options.
Example:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.ephemeralDHKeySize=2048 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl= -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED"

Step 3:

Restart mailbox services
$ zmmailboxdctl restart

Step 4:

Verify using nmap
nmap --script ssl-enum-ciphers -p 8443 your-mailbox-server.example.com

Ref: https://docs.oracle.com/javase/8/docs/technotes/guides/security/jsse/JSSERefGuide.html#jsse-impl-security-property

Global/Proxy Level

Update DH parameters at proxy level. No longer self generated, use pre-defined DHE groups as recommended by IETF RFC 7919.

Note: the zmdhparam command will in most cases not work when used with OpenSSL FIPS.

Further reading: 

wget https://raw.githubusercontent.com/internetstandards/dhe_groups/master/ffdhe4096.pem -O /etc/ffdhe4096.pem
su - zimbra
zmprov mcf zimbraSSLDHParam /etc/ffdhe4096.pem
ldap restart
zmmtactl restart
zmproxyctl restart
Submitted by: Raghu Noti
Verified Against: ZCS 8.8.15, ZCS 9.0 Date Created: 2022-12-01
Article ID: https://wiki.zimbra.com/index.php?title=Disable_DH_1024 Date Modified: 2024-04-20



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Other help Resources

User Help Page »
Official Forums »
Zimbra Documentation Page »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Retrieved from "http://wiki.zimbra.com/index.php?title=Disable_DH_1024&oldid=70378"
Jump to: navigation, search