Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
johnroberts
Posts: 31
Joined: Sat Sep 13, 2014 2:43 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by johnroberts »

Hello All,
Following on from the LogJam bug discovery we are upgrading our servers.
Unfortunately we haven't worked out how to do this with our Zimbra web client servers as yet.
There are these two links:
[View:https://blog.zimbra.com/2015/05/logjams ... tion:940:0]
[View:https://community.zimbra.com/support/se ... gjam:940:0]

which talk about problems linked only with the MTA Postfix, and work arounds by changing the ciphers.
However the problem is not linked just to the MTA in the fact that, from what we can gather, any web client user is also liable to face issues due to the weak Diffie-Hellman (DH) key exchange parameters configured on the Zimbra web server.
As chappert also indicated in the post here, Zimbra systems are now being down rated by SSL rating services such as Qualys SSL Labs because of this issue.
Does anyone have any information on how we may be able to resolve this without having to wait for the new features in Collab 8.7 (DH 2048bit)?
Thanks for all / any replies!
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by jorgedlcruz »

Hi Johnroberts,

I've sent this issue to our Security team and they are working on it, we will return soon with some answers.



Thank you for let us know.



Best regards.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by jorgedlcruz »

Hi John,
I have the next feedback:
"I also suggest reading over: <https://weakdh.org/> and
<https://www.openssl.org/blog/blog/2015/ ... g-changes/>
which are referenced in Phil's post.

SSL labs notes our DH keys are 1024 bit.  Those are specifically not
vulernable to logjam.  From weakdh.org:

Logjam attack against the TLS protocol. The Logjam attack allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections to
512-bit export-grade cryptography. This allows the attacker to read and
modify any data passed over the connection. The attack is reminiscent of
the FREAK attack, but is due to a flaw in the TLS protocol rather than an
implementation vulnerability, and attacks a Diffie-Hellman key exchange
rather than an RSA key exchange. The attack affects any server that
supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of
the Top 1 Million domains were initially vulnerable.

From the OpenSSL.org site:

Today, news broke of Logjam, an attack on TLS connections using
Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we're
increasing the minimum accepted DH key size to 768 bits immediately in the
next release, and to 1024 bits soon after. We have also made several other
changes to strengthen our cryptographic defaults and have updated our tools
and documentation to help servers configure Diffie-Hellman ciphersuites
securely - see below for details.

So we are already *at* the 1024 bits noted.

For 8.7, we will be upgrading to OpenSSL 1.0.1n which will default to 2048  bit DH keys."
I don't have any news about it except that.
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
johnroberts
Posts: 31
Joined: Sat Sep 13, 2014 2:43 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by johnroberts »

Hello Jorge,

Thanks a lot for the feedback but unfortunately it didn't resolve the main urgent issue of enabling DH 2048 bit random keys in 8.6

We've since solved the issue by creating a random 2048 key using openssl and then have Nginx pick this up during start-up.

At the same time I noticed that andreaswolske has kindly added a Wiki entry to explain how to do this for Zimbra 8.5 and 8.6:
https://wiki.zimbra.com/wiki/Security/Collab/logjam

The above Wiki explains how to fix the LogJam / Weak Diffie-Hellman (DH) key exchange parameters security issue in Zimbra collaboration.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by liverpoolfcfan »

How did you get the server to pick up the new key? I followed the steps in the wiki and the ssllabs test still reports we are using a shared common 1024 bit prime.
johnroberts
Posts: 31
Joined: Sat Sep 13, 2014 2:43 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by johnroberts »

Editing the two nginx configuration files as shown in the blog post (after creating the 2048 bit PEM file) and adding:
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
Immediately after restarting it was picked up and both the tests:
[View:https://weakdh.org/sysadmin.html:940:0]
and
[View:https://www.ssllabs.com/ssltest/:940:0]

reflected the new 2048 key.
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by liverpoolfcfan »

Do you have the ssl_verify_depth line in both of your config files?



It does not appear in our nginx.conf.web.https.template file



This is a system that has been upgraded all the way from 6.0.4 over the years and is currently at 8.6 Patch 2
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by jorgedlcruz »

Hi liverpool,
I've followed the instructions today and I had it only in the first file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template , in the second one (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template) I just placed the ssl_dhparam /opt/zimbra/conf/dhparams.pem; like here:
ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};
ssl_verify_client ${ssl.clientcertmode};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
set $login_upstream ${web.upstream.login.target};
It works for me.
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by liverpoolfcfan »

I did the same.



My pem file is

-rw-r--r-- 1 zimbra zimbra 424 Jun 8 11:10 dhparams.pem

but still when I restart and re-check the server on the two sites they report "This site uses a commonly-shared 1024-bit Diffie-Hellman group"



Could it be down to the OS (CentOS release 6.6 (Final))?

or the openssl version ?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

Weak Diffie-Hellman (DH) key exchange parameters - LogJam

Post by jorgedlcruz »

Paste us the content of the first 20 lines of this 2 files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
Post Reply