Ƙarfin ɓoyewa yana ɗaya daga cikin mahimman bayanai lokacin amfani da tsarin bayanai don kasuwanci, saboda kowace rana suna shiga cikin canja wurin babban adadin bayanan sirri. Gabaɗaya yarda da hanyar tantance ingancin haɗin SSL gwaji ne mai zaman kansa daga Qualys SSL Labs. Tun da kowa zai iya gudanar da wannan gwajin, yana da mahimmanci ga masu samar da SaaS don samun mafi girman ƙima akan wannan gwajin. Ba kawai masu samar da SaaS ba, har ma kamfanoni na yau da kullun suna kula da ingancin haɗin SSL. A gare su, wannan gwajin wata kyakkyawar dama ce don gano yuwuwar rashin lahani da kuma rufe duk wata hanya ta masu aikata laifuka ta yanar gizo a gaba.
Zimbra OSE yana ba da damar nau'ikan takaddun shaida na SSL guda biyu. Na farko takardar shedar sa hannu ce wacce ake ƙara ta atomatik yayin shigarwa. Wannan takardar shaidar kyauta ce kuma ba ta da iyakacin lokaci, yana mai da ita manufa don gwada Zimbra OSE ko amfani da ita keɓantaccen hanyar sadarwar ciki. Koyaya, lokacin shiga cikin abokin ciniki na gidan yanar gizo, masu amfani za su ga gargaɗi daga mai binciken cewa wannan takardar shedar ba ta da amana, kuma babu shakka sabar ku za ta faɗi gwajin daga Qualys SSL Labs.
Na biyu takardar shaidar SSL ce ta kasuwanci wacce wata hukuma ta tabbatar da sa hannu. Irin waɗannan takaddun shaida ana samun sauƙin karɓa ta masu bincike kuma galibi ana amfani da su don kasuwanci na Zimbra OSE. Nan da nan bayan shigarwa daidai na takardar shaidar kasuwanci, Zimbra OSE 8.8.15 yana nuna maki A cikin gwajin daga Qualys SSL Labs. Wannan kyakkyawan sakamako ne, amma burin mu shine cimma sakamako A+.
Don cimma matsakaicin maƙi a gwajin daga Qualys SSL Labs lokacin amfani da Zimbra Collaboration Suite Buɗe-Source Edition, dole ne ku cika matakai da yawa:
1. Ƙara ma'auni na yarjejeniyar Diffie-Hellman
Ta hanyar tsoho, duk abubuwan Zimbra OSE 8.8.15 masu amfani da OpenSSL suna da saitunan ƙa'idar Diffie-Hellman da aka saita zuwa 2048 ragowa. A ka'ida, wannan ya fi isa don samun maki A+ a gwaji daga Qualys SSL Labs. Koyaya, idan kuna haɓakawa daga tsoffin juzu'in, saitunan ƙila su kasance ƙasa. Sabili da haka, ana ba da shawarar cewa bayan an gama sabuntawa, gudanar da umarnin zmdhparam set -new 2048, wanda zai haɓaka sigogi na ka'idar Diffie-Hellman zuwa raƙuman 2048 mai karɓa, kuma idan ana so, ta amfani da wannan umarni, zaku iya ƙarawa. darajar sigogi zuwa 3072 ko 4096 bits, wanda a gefe guda zai haifar da karuwar lokacin tsarawa, amma a daya bangaren zai yi tasiri mai kyau akan matakin tsaro na sabar saƙon.
2. Haɗe da shawarar jerin abubuwan da aka yi amfani da su
Ta hanyar tsoho, Zimbra Collaborataion Suite Buɗe-Source Edition yana goyan bayan kewayon manyan sifofi masu ƙarfi da rauni, waɗanda ke ɓoye bayanan da ke wucewa ta amintaccen haɗi. Koyaya, amfani da rarraunan ciphers babban hasashe ne yayin bincika amincin haɗin SSL. Don guje wa wannan, kuna buƙatar saita jerin abubuwan da aka yi amfani da su.
Don yin wannan, yi amfani da umarnin zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Wannan umarni nan da nan ya haɗa da saitin abubuwan da aka ba da shawarar kuma godiya gare shi, umarnin nan da nan zai iya haɗa da amintattun sifofi a cikin jerin kuma keɓe waɗanda ba a dogara ba. Yanzu abin da ya rage shine sake kunna nodes na baya ta amfani da zmproxyctl umurnin sake kunnawa. Bayan sake kunnawa, canje-canjen da aka yi zasu fara aiki.
Idan wannan jeri bai dace da ku ba saboda dalili ɗaya ko wani, kuna iya cire adadin rarraunan ciphers daga ciki ta amfani da umarnin zmprov mcf +zimbraSSLExcludeCipherSuites. Don haka, alal misali, umarnin zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, wanda zai kawar da amfani da RC4 ciphers gaba daya. Hakanan ana iya yin haka tare da AES da 3DES ciphers.
3. Kunna HSTS
Hanyoyin da aka kunna don tilasta ɓoyayyen haɗin gwiwa da dawo da zaman TLS kuma ana buƙatar don cimma cikakkiyar maƙi a gwajin Qualys SSL Labs. Don kunna su dole ne ka shigar da umarnin zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Wannan umarnin zai ƙara maɓallin da ake buƙata zuwa daidaitawa, kuma don sabbin saitunan su yi aiki dole ne ku sake kunna Zimbra OSE ta amfani da umarnin. zmcontrol sake farawa.
Tuni a wannan matakin, gwajin daga Qualys SSL Labs zai nuna ƙimar A+, amma idan kuna son ƙara inganta tsaro na uwar garken ku, akwai wasu matakan da za ku iya ɗauka.
Misali, zaku iya ba da damar rufaffen tilas na hanyoyin sadarwa, kuma kuna iya ba da damar rufaffen tilas lokacin da ake haɗawa da sabis na Zimbra OSE. Don duba hanyoyin haɗin kai, shigar da umarni masu zuwa:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueDon ba da damar ɓoye sirrin dole kuna buƙatar shigar da:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEGodiya ga waɗannan umarni, duk hanyoyin haɗin kai zuwa sabar wakili da sabar wasiku za a ɓoye su, kuma duk waɗannan haɗin gwiwar za a sami wakilci.
Don haka, bin shawarwarin mu, ba za ku iya cimma mafi girma kawai a cikin gwajin tsaro na haɗin yanar gizo na SSL ba, amma har ma da haɓaka tsaro na duk kayan aikin Zimbra OSE.
Don duk tambayoyin da suka shafi Zextras Suite, zaku iya tuntuɓar Wakilin Zextras Ekaterina Triandafilidi ta imel [email kariya]
source: www.habr.com