Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fixed Cipher related warnings on ZCS startup and added jetty version at a common place #920

Open
wants to merge 1 commit into
base: develop
Choose a base branch
from
Open

Fixed Cipher related warnings on ZCS startup and added jetty version at a common place #920

wants to merge 1 commit into from

Conversation

jrjena136
Copy link
Contributor

@jrjena136 jrjena136 commented Jun 11, 2019
edited
Loading

issue : Getting warnings related to cipher on mailbox start up. Added jetty version at multiple places.

fix : As per the conversation found here , removed the protocols which is vulnerable and as per the conversation found here excluded the weak ciphers. Removed jetty version used in multiple places and added it as a property at a common place.

On Server start up there is no warnings related to ciphers in the log.

Before

2019-06-11 11:13:28.576:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11
2019-06-11 11:13:28.606:INFO:oejs.AbstractConnector:main: Started ServerConnector@50ecde95{HTTP/1.1,[http/1.1]}{localhost:8080}
2019-06-11 11:13:28.614:INFO:oejus.SslContextFactory:main: x509=X509@7f086b45(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.616:WARN:oejusS.config:main: No Client EndPointIdentificationAlgorithm configured for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Protocol SSLv2Hello not excluded for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_GCM_SHA384 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_GCM_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.617:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.618:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_256_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA256 enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.619:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_ECDH_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_RSA_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.620:WARN:oejusS.config:main: Weak cipher suite TLS_DHE_DSS_WITH_AES_128_CBC_SHA enabled for SslContextFactory@c370bb5[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 11:13:28.621:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2019-06-11 11:13:28.629:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7071}
2019-06-11 11:13:28.631:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7073}
2019-06-11 11:13:28.637:INFO:oejs.AbstractConnector:main: Started ServerConnector@64ba3208{SSL,[ssl, http/1.1]}{0.0.0.0:7072}
2019-06-11 11:13:28.637:INFO:oejs.Server:main: Started @13379ms

After

2019-06-11 17:10:25.835:INFO:oejs.RequestLogWriter:main: Opened /opt/zimbra/log/access_log.2019-06-11
2019-06-11 17:10:25.855:INFO:oejs.AbstractConnector:main: Started ServerConnector@2072acb2{HTTP/1.1,[http/1.1]}{localhost:8080}
2019-06-11 17:10:25.869:INFO:oejus.SslContextFactory:main: x509=X509@50231f16(jetty,h=[jyoti.zdev.local],w=[]) for SslContextFactory@2bc7e895[provider=null,keyStore=file:///opt/zimbra/jetty_base/etc/keystore,trustStore=null]
2019-06-11 17:10:25.876:INFO:oejs.AbstractConnector:main: Started ServerConnector@d3957fe{SSL,[ssl, http/1.1]}{0.0.0.0:8443}
2019-06-11 17:10:25.882:INFO:oejs.AbstractConnector:main: Started ServerConnector@6622fc65{SSL,[ssl, http/1.1]}{0.0.0.0:7071}
2019-06-11 17:10:25.884:INFO:oejs.AbstractConnector:main: Started ServerConnector@299321e2{SSL,[ssl, http/1.1]}{0.0.0.0:7073}
2019-06-11 17:10:25.889:INFO:oejs.AbstractConnector:main: Started ServerConnector@23fb172e{SSL,[ssl, http/1.1]}{0.0.0.0:7072}
2019-06-11 17:10:25.890:INFO:oejs.Server:main: Started @14918ms

Linked PR
Zimbra/zm-jetty-conf#7

fatkudu
fatkudu reviewed Jun 11, 2019
View reviewed changes
Copy link
Contributor

@fatkudu fatkudu left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will need to be clearly communicated for upgrade scenarios.
Do we need to update any upgrade scripts to fix attributes up?

@jrjena136
Copy link
Contributor Author

Need to check with @rupalid . As of now there is only change in zimbra-attrs.xml which sets those values in global config

plobbes
plobbes reviewed Jun 11, 2019
View reviewed changes
Copy link
Contributor

@plobbes plobbes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

General: This will break older clients. I'm fine with this at a conceptual level, but we want signoff from support / PM on such a change. Also, if we're going down this path I'd really like to disable TLSv1 and TLSv1.1 by default.

store/conf/attrs/zimbra-attrs.xml Outdated
@@ -3413,6 +3413,24 @@ TODO - add support for multi-line values in globalConfigValue and defaultCOSValu

<attr id="639" name="zimbraSSLExcludeCipherSuites" type="string" cardinality="multi" optionalIn="globalConfig,server" flags="serverInherited" requiresRestart="mailbox" since="5.0.5">
<globalConfigValue>.*_RC4_.*</globalConfigValue>
<globalConfigValue>TLS_DHE_DSS_WITH_AES_128_CBC_SHA</globalConfigValue>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'd tend to go with the fix as proposed/used by Jetty
https://github.com/eclipse/jetty.project/blob/9fd6d4354e7a6d5ea0b0a8fff47351ba37b9babd/jetty-util/src/main/java/org/eclipse/jetty/util/ssl/SslContextFactory.java#L253
e.g. setExcludeCipherSuites("^.*_(MD5|SHA|SHA1)$");

And then deal with other one-offs, which I believe may be addressed via "^TLS_RSA_.*".
Once that is done, we would still want to check ciphers with https://testssl.sh/ and/or https://www.ssllabs.com/ssltest/

Keep in mind this is only one part of the puzzle, we also have nginx w/openssl.

store/conf/attrs/zimbra-attrs.xml
@@ -8379,7 +8397,6 @@ TODO: delete them permanently from here
<globalConfigValue>TLSv1</globalConfigValue>
<globalConfigValue>TLSv1.1</globalConfigValue>
<globalConfigValue>TLSv1.2</globalConfigValue>
<globalConfigValue>SSLv2Hello</globalConfigValue>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This will break older clients. I'm fine with this, although I'd also like to disable TLSv1 and TLSv1.1 if we're going to do this. We probably need feedback from support and we also have upgrade paths/documentation to cover with TLS config changes.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It might be nice to have the SslConnectionFactory portion of the dumpoutput generated via
java -jar ${JETTY_HOME}/start.jar jetty.server.dumpAfterStart=true
as described in https://www.eclipse.org/jetty/documentation/current/configuring-ssl.html if you get a chance as well.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fatkudu fatkudu fatkudu left review comments

@plobbes plobbes plobbes left review comments

@chinmay15 chinmay15 Awaiting requested review from chinmay15

@rupalid rupalid Awaiting requested review from rupalid

@swapnilpingle89 swapnilpingle89 Awaiting requested review from swapnilpingle89

@ajinkya81 ajinkya81 Awaiting requested review from ajinkya81

@sneha-patil-synacor sneha-patil-synacor Awaiting requested review from sneha-patil-synacor

@dasiyogesh dasiyogesh Awaiting requested review from dasiyogesh

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@jrjena136 @fatkudu @plobbes