FIPS

How to enable FIPS on Zimbra

See the following wiki pages:

https://github.com/Zimbra/packages/wiki/OpenSSL,-Postfix-and-Nginx-TLS-1.3-GA-release#enable-fips-mode-in-rhel6

https://github.com/Zimbra/packages/wiki/OpenSSL,-Postfix-and-Nginx-TLS-1.3-GA-release#enable-fips-mode-in-rhel7

https://github.com/Zimbra/packages/wiki/OpenSSL,-Postfix-and-Nginx-TLS-1.3-GA-release#enable-fips-mode-in-rhel8

https://github.com/Zimbra/packages/wiki/OpenSSL,-Postfix-and-Nginx-TLS-1.3-GA-release#set-below-configurations-after-fips-enabled


IMPORTANT: Zimbra OpenSSL (3.0.x+) with default FIPS Configuration - Onward Patch Kepler 9.0.0.P34, Joule 8.8.15.P41, Daffodil 10.0.2

  • From this patch going forward Zimbra OpenSSL will be configured to work with FIPS compliance enabled by default. You do not need to take any action, unless you run into issues, you can switch to the non-FIPS provider as follows:
  • Run the below commands to Enable/Disable FIPS providers on all servers.

Disable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-source.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-source.cnf openssl.cnf
Verify that, FIPS provider is disabled: Run below command and verify fips provider is not listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart


Enable TLSv1.0/TLSv1.1:

Even after disabling FIPS with above method, it's observed that, older clients connecting with TLS 1.0/1.1 failed to connect Zimbra Proxy. This can be fixed by appending ":@SECLEVEL=0" to the cipherstring in zimbraReverseProxySSLCiphers.

Get Proxy Cipher List
zmprov gcf zimbraReverseProxySSLCiphers
zmprov mcf zimbraReverseProxySSLCiphers '<Proxy Cipher List>:@SECLEVEL=0'
zmproxyctl restart


Enable FIPS provider:

As root user run below commands
Take backup of openssl.cnf cd /opt/zimbra/common/etc/ssl cp openssl.cnf <backup-path>/openssl.cnf
Copy openssl-fips.cnf file cd /opt/zimbra/common/etc/ssl cp openssl-fips.cnf openssl.cnf
Verify that, FIPS provider is enabled: Run below command and verify fips provider is listed /opt/zimbra/common/bin/openssl list --providers
As zimbra user run below commands su - zimbra zmcontrol restart


Jump to: navigation, search