-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed Cipher related warnings on ZCS startup and added jetty version at a common place #920
base: develop
Are you sure you want to change the base?
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will need to be clearly communicated for upgrade scenarios.
Do we need to update any upgrade scripts to fix attributes up?
Need to check with @rupalid . As of now there is only change in zimbra-attrs.xml which sets those values in global config |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
General: This will break older clients. I'm fine with this at a conceptual level, but we want signoff from support / PM on such a change. Also, if we're going down this path I'd really like to disable TLSv1 and TLSv1.1 by default.
store/conf/attrs/zimbra-attrs.xml
Outdated
@@ -3413,6 +3413,24 @@ TODO - add support for multi-line values in globalConfigValue and defaultCOSValu | |||
|
|||
<attr id="639" name="zimbraSSLExcludeCipherSuites" type="string" cardinality="multi" optionalIn="globalConfig,server" flags="serverInherited" requiresRestart="mailbox" since="5.0.5"> | |||
<globalConfigValue>.*_RC4_.*</globalConfigValue> | |||
<globalConfigValue>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</globalConfigValue> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd tend to go with the fix as proposed/used by Jetty
https://github.com/eclipse/jetty.project/blob/9fd6d4354e7a6d5ea0b0a8fff47351ba37b9babd/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L253
e.g. setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");
And then deal with other one-offs, which I believe may be addressed via "^TLS_RSA_.*".
Once that is done, we would still want to check ciphers with https://testssl.sh/ and/or https://www.ssllabs.com/ssltest/
Keep in mind this is only one part of the puzzle, we also have nginx w/openssl.
@@ -8379,7 +8397,6 @@ TODO: delete them permanently from here | |||
<globalConfigValue>TLSv1</globalConfigValue> | |||
<globalConfigValue>TLSv1.1</globalConfigValue> | |||
<globalConfigValue>TLSv1.2</globalConfigValue> | |||
<globalConfigValue>SSLv2Hello</globalConfigValue> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This will break older clients. I'm fine with this, although I'd also like to disable TLSv1 and TLSv1.1 if we're going to do this. We probably need feedback from support and we also have upgrade paths/documentation to cover with TLS config changes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be nice to have the SslConnectionFactory
portion of the dumpoutput generated via
java -jar ${JETTY_HOME}/start.jar jetty.server.dumpAfterStart=true
as described in https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html if you get a chance as well.
…at a common place
11060eb
to
41ea70b
Compare
317c7df
to
056d031
Compare
6d82915
to
04d0e72
Compare
issue : Getting warnings related to cipher on mailbox start up. Added jetty version at multiple places.
fix : As per the conversation found here , removed the protocols which is vulnerable and as per the conversation found here excluded the weak ciphers. Removed jetty version used in multiple places and added it as a property at a common place.
On Server start up there is no warnings related to ciphers in the log.
Before
After
Linked PR
Zimbra/zm-jetty-conf#7