Weak Diffie-Hellman (DH) key exchange parameters - LogJam
-
- Posts: 31
- Joined: Sat Sep 13, 2014 2:43 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Hello All,
Following on from the LogJam bug discovery we are upgrading our servers.
Unfortunately we haven't worked out how to do this with our Zimbra web client servers as yet.
There are these two links:
[View:https://blog.zimbra.com/2015/05/logjams ... tion:940:0]
[View:https://community.zimbra.com/support/se ... gjam:940:0]
which talk about problems linked only with the MTA Postfix, and work arounds by changing the ciphers.
However the problem is not linked just to the MTA in the fact that, from what we can gather, any web client user is also liable to face issues due to the weak Diffie-Hellman (DH) key exchange parameters configured on the Zimbra web server.
As chappert also indicated in the post here, Zimbra systems are now being down rated by SSL rating services such as Qualys SSL Labs because of this issue.
Does anyone have any information on how we may be able to resolve this without having to wait for the new features in Collab 8.7 (DH 2048bit)?
Thanks for all / any replies!
Following on from the LogJam bug discovery we are upgrading our servers.
Unfortunately we haven't worked out how to do this with our Zimbra web client servers as yet.
There are these two links:
[View:https://blog.zimbra.com/2015/05/logjams ... tion:940:0]
[View:https://community.zimbra.com/support/se ... gjam:940:0]
which talk about problems linked only with the MTA Postfix, and work arounds by changing the ciphers.
However the problem is not linked just to the MTA in the fact that, from what we can gather, any web client user is also liable to face issues due to the weak Diffie-Hellman (DH) key exchange parameters configured on the Zimbra web server.
As chappert also indicated in the post here, Zimbra systems are now being down rated by SSL rating services such as Qualys SSL Labs because of this issue.
Does anyone have any information on how we may be able to resolve this without having to wait for the new features in Collab 8.7 (DH 2048bit)?
Thanks for all / any replies!
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Hi Johnroberts,
I've sent this issue to our Security team and they are working on it, we will return soon with some answers.
Thank you for let us know.
Best regards.
I've sent this issue to our Security team and they are working on it, we will return soon with some answers.
Thank you for let us know.
Best regards.
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Hi John,
I have the next feedback:
"I also suggest reading over: <https://weakdh.org/> and
<https://www.openssl.org/blog/blog/2015/ ... g-changes/>
which are referenced in Phil's post.
SSL labs notes our DH keys are 1024 bit. Those are specifically not
vulernable to logjam. From weakdh.org:
Logjam attack against the TLS protocol. The Logjam attack allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections to
512-bit export-grade cryptography. This allows the attacker to read and
modify any data passed over the connection. The attack is reminiscent of
the FREAK attack, but is due to a flaw in the TLS protocol rather than an
implementation vulnerability, and attacks a Diffie-Hellman key exchange
rather than an RSA key exchange. The attack affects any server that
supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of
the Top 1 Million domains were initially vulnerable.
From the OpenSSL.org site:
Today, news broke of Logjam, an attack on TLS connections using
Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we're
increasing the minimum accepted DH key size to 768 bits immediately in the
next release, and to 1024 bits soon after. We have also made several other
changes to strengthen our cryptographic defaults and have updated our tools
and documentation to help servers configure Diffie-Hellman ciphersuites
securely - see below for details.
So we are already *at* the 1024 bits noted.
For 8.7, we will be upgrading to OpenSSL 1.0.1n which will default to 2048 bit DH keys."
I don't have any news about it except that.
Best regards
I have the next feedback:
"I also suggest reading over: <https://weakdh.org/> and
<https://www.openssl.org/blog/blog/2015/ ... g-changes/>
which are referenced in Phil's post.
SSL labs notes our DH keys are 1024 bit. Those are specifically not
vulernable to logjam. From weakdh.org:
Logjam attack against the TLS protocol. The Logjam attack allows a
man-in-the-middle attacker to downgrade vulnerable TLS connections to
512-bit export-grade cryptography. This allows the attacker to read and
modify any data passed over the connection. The attack is reminiscent of
the FREAK attack, but is due to a flaw in the TLS protocol rather than an
implementation vulnerability, and attacks a Diffie-Hellman key exchange
rather than an RSA key exchange. The attack affects any server that
supports DHE_EXPORT ciphers, and affects all modern web browsers. 8.4% of
the Top 1 Million domains were initially vulnerable.
From the OpenSSL.org site:
Today, news broke of Logjam, an attack on TLS connections using
Diffie-Hellman ciphersuites. To protect OpenSSL-based clients, we're
increasing the minimum accepted DH key size to 768 bits immediately in the
next release, and to 1024 bits soon after. We have also made several other
changes to strengthen our cryptographic defaults and have updated our tools
and documentation to help servers configure Diffie-Hellman ciphersuites
securely - see below for details.
So we are already *at* the 1024 bits noted.
For 8.7, we will be upgrading to OpenSSL 1.0.1n which will default to 2048 bit DH keys."
I don't have any news about it except that.
Best regards
-
- Posts: 31
- Joined: Sat Sep 13, 2014 2:43 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Hello Jorge,
Thanks a lot for the feedback but unfortunately it didn't resolve the main urgent issue of enabling DH 2048 bit random keys in 8.6
We've since solved the issue by creating a random 2048 key using openssl and then have Nginx pick this up during start-up.
At the same time I noticed that andreaswolske has kindly added a Wiki entry to explain how to do this for Zimbra 8.5 and 8.6:
https://wiki.zimbra.com/wiki/Security/Collab/logjam
The above Wiki explains how to fix the LogJam / Weak Diffie-Hellman (DH) key exchange parameters security issue in Zimbra collaboration.
Thanks a lot for the feedback but unfortunately it didn't resolve the main urgent issue of enabling DH 2048 bit random keys in 8.6
We've since solved the issue by creating a random 2048 key using openssl and then have Nginx pick this up during start-up.
At the same time I noticed that andreaswolske has kindly added a Wiki entry to explain how to do this for Zimbra 8.5 and 8.6:
https://wiki.zimbra.com/wiki/Security/Collab/logjam
The above Wiki explains how to fix the LogJam / Weak Diffie-Hellman (DH) key exchange parameters security issue in Zimbra collaboration.
-
- Elite member
- Posts: 1104
- Joined: Sat Sep 13, 2014 12:47 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
How did you get the server to pick up the new key? I followed the steps in the wiki and the ssllabs test still reports we are using a shared common 1024 bit prime.
-
- Posts: 31
- Joined: Sat Sep 13, 2014 2:43 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Editing the two nginx configuration files as shown in the blog post (after creating the 2048 bit PEM file) and adding:
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
Immediately after restarting it was picked up and both the tests:
[View:https://weakdh.org/sysadmin.html:940:0]
and
[View:https://www.ssllabs.com/ssltest/:940:0]
reflected the new 2048 key.
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
Immediately after restarting it was picked up and both the tests:
[View:https://weakdh.org/sysadmin.html:940:0]
and
[View:https://www.ssllabs.com/ssltest/:940:0]
reflected the new 2048 key.
-
- Elite member
- Posts: 1104
- Joined: Sat Sep 13, 2014 12:47 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Do you have the ssl_verify_depth line in both of your config files?
It does not appear in our nginx.conf.web.https.template file
This is a system that has been upgraded all the way from 6.0.4 over the years and is currently at 8.6 Patch 2
It does not appear in our nginx.conf.web.https.template file
This is a system that has been upgraded all the way from 6.0.4 over the years and is currently at 8.6 Patch 2
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Hi liverpool,
I've followed the instructions today and I had it only in the first file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template , in the second one (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template) I just placed the ssl_dhparam /opt/zimbra/conf/dhparams.pem; like here:
ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};
ssl_verify_client ${ssl.clientcertmode};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
set $login_upstream ${web.upstream.login.target};
It works for me.
I've followed the instructions today and I had it only in the first file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template , in the second one (/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template) I just placed the ssl_dhparam /opt/zimbra/conf/dhparams.pem; like here:
ssl_certificate ${ssl.crt};
ssl_certificate_key ${ssl.key};
ssl_verify_client ${ssl.clientcertmode};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
set $login_upstream ${web.upstream.login.target};
It works for me.
-
- Elite member
- Posts: 1104
- Joined: Sat Sep 13, 2014 12:47 am
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
I did the same.
My pem file is
-rw-r--r-- 1 zimbra zimbra 424 Jun 8 11:10 dhparams.pem
but still when I restart and re-check the server on the two sites they report "This site uses a commonly-shared 1024-bit Diffie-Hellman group"
Could it be down to the OS (CentOS release 6.6 (Final))?
or the openssl version ?
My pem file is
-rw-r--r-- 1 zimbra zimbra 424 Jun 8 11:10 dhparams.pem
but still when I restart and re-check the server on the two sites they report "This site uses a commonly-shared 1024-bit Diffie-Hellman group"
Could it be down to the OS (CentOS release 6.6 (Final))?
or the openssl version ?
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
Weak Diffie-Hellman (DH) key exchange parameters - LogJam
Paste us the content of the first 20 lines of this 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
Best regards
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
Best regards