How to fix the Logjam issue in Zimbra Collaboration 8.5 and 8.6

KB 21985	Last updated on 2015-07-16	Last updated by Jorge de la Cruz	0.00 (0 votes)	Verified in: ZCS 8.6 ZCS 8.5
- This article is a Community contribution and may include unsupported customizations.

KB 21985	Last updated on 2015-07-16
0.00 (0 votes)
- This article is a Community contribution and may include unsupported customizations.

Logjam & Zimbra 8.5 8.6

In order to disable weak DH Ciphers you can configure your ngnix configuration as follows:

  cd /opt/zimbra/conf
  openssl dhparam -out dhparams.pem 2048
  chown zimbra:zimbra dhparams.pem

Now edit

  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

and add

  ssl_dhparam /opt/zimbra/conf/dhparams.pem;

below

 ssl_verify_depth        ${ssl.clientcertdepth.default};

If you don't have set your CipherSuites you can

 zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  

and finally

 zmproxyctl restart

Now you can verify your settings using https://weakdh.org/sysadmin.html and https://www.ssllabs.com/ssltest/analyze.html

--managedhosting.de (talk) 19:49, 29 May 2015 (UTC)