ʻO ka ikaika o ka hoʻopunipuni kekahi o nā hōʻailona koʻikoʻi i ka hoʻohana ʻana i nā ʻōnaehana ʻike no ka ʻoihana, no ka mea i kēlā me kēia lā ke komo nei lākou i ka hoʻoili ʻana i ka nui o ka ʻike huna. ʻO kahi ala i ʻae ʻia e loiloi i ka maikaʻi o kahi pilina SSL he hoʻokolohua kūʻokoʻa mai Qualys SSL Labs. No ka mea hiki ke holo kēia ho'āʻo e kekahi, he mea koʻikoʻi loa ia no nā mea hoʻolako SaaS e kiʻi i ka helu kiʻekiʻe loa ma kēia hōʻike. ʻAʻole wale nā mea hoʻolako SaaS, akā mālama pū nā ʻoihana maʻamau i ka maikaʻi o ka pilina SSL. No lākou, he manawa kūpono kēia hoʻāʻo e ʻike i nā mea nāwaliwali a pani i nā loopholes āpau no nā cybercriminals ma mua.
ʻAe ʻo Zimbra OSE i ʻelua mau ʻano palapala SSL. ʻO ka mea mua he palapala hōʻoia i hoʻopaʻa inoa ʻia i hoʻohui ʻia i ka wā hoʻokomo. He manuahi kēia palapala hōʻoia a ʻaʻohe palena manawa, no laila kūpono ia no ka hoʻāʻo ʻana iā Zimbra OSE a i ʻole ka hoʻohana wale ʻana iā ia i loko o kahi pūnaewele kūloko. Eia naʻe, i ka wā e komo ai i ka mea kūʻai pūnaewele, e ʻike nā mea hoʻohana i kahi ʻōlelo aʻo mai ka polokalamu kele pūnaewele ʻaʻole hilinaʻi ʻia kēia palapala hōʻoia, a e hāʻule maoli kāu kikowaena i ka hoʻāʻo mai Qualys SSL Labs.
ʻO ka lua he palapala SSL kālepa i hoʻopaʻa inoa ʻia e kahi mana hōʻoia. ʻO ia mau palapala hōʻoia e ʻae maʻalahi ʻia e nā mākaʻikaʻi a hoʻohana mau ʻia no ka hoʻohana pāʻoihana o Zimbra OSE. Ma hope koke iho o ka hoʻokomo ponoʻana i ka palapala kālepa, hōʻikeʻo Zimbra OSE 8.8.15 i kahi helu A ma ka ho'āʻo mai Qualys SSL Labs. He hopena maikaʻi loa kēia, akā ʻo kā mākou pahuhopu e hoʻokō i kahi hopena A+.
No ka loaʻa ʻana o ka helu kiʻekiʻe loa ma ka hoʻāʻo mai Qualys SSL Labs i ka wā e hoʻohana ai iā Zimbra Collaboration Suite Open-Source Edition, pono ʻoe e hoʻopau i kekahi mau ʻanuʻu:
1. Hoʻonui i nā palena o ka protocol Diffie-Hellman
Ma ka paʻamau, loaʻa nā ʻāpana Zimbra OSE 8.8.15 a pau e hoʻohana ana i ka OpenSSL i nā hoʻonohonoho protocol Diffie-Hellman i hoʻonohonoho ʻia i 2048 bits. Ma ke kumu, ʻoi aku kēia ma mua o ka loaʻa ʻana o kahi helu A + i ka hoʻāʻo mai Qualys SSL Labs. Eia nō naʻe, inā e hoʻomaikaʻi ana ʻoe mai nā mana kahiko, haʻahaʻa paha nā hoʻonohonoho. No laila, ʻōlelo ʻia ma hope o ka pau ʻana o ka hoʻonui ʻana, e holo i ke kauoha zmdhparam set -new 2048, e hoʻonui ai i nā palena o ka protocol Diffie-Hellman i kahi 2048 bits i ʻae ʻia, a inā makemake ʻia, me ka hoʻohana ʻana i ke kauoha like, hiki iā ʻoe ke hoʻonui. ka waiwai o nā palena i ka 3072 a i ʻole 4096 bits, ma kekahi ʻaoʻao e alakaʻi i ka manawa o ka hanauna, akā ma kekahi ʻaoʻao e loaʻa ka hopena maikaʻi i ka pae palekana o ka leka uila.
2. Me ka papa inoa o nā ciphers i hoʻohana ʻia
Ma ka maʻamau, kākoʻo ʻo Zimbra Collaborataion Suite Open-Source Edition i kahi ākea o nā ciphers ikaika a nāwaliwali, kahi e hoʻopili ai i ka ʻikepili e hele ana i kahi pilina paʻa. Eia naʻe, he pōʻino koʻikoʻi ka hoʻohana ʻana i nā ciphers nāwaliwali i ka nānā ʻana i ka palekana o kahi pilina SSL. I mea e pale aku ai i kēia, pono ʻoe e hoʻonohonoho i ka papa inoa o nā ciphers i hoʻohana ʻia.
No ka hana ʻana i kēia, e hoʻohana i ke kauoha zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Hoʻokomo koke ʻia kēia kauoha i kahi pūʻulu o nā ciphers i manaʻo ʻia a mahalo iā ia, hiki i ke kauoha ke hoʻokomo koke i nā cipher hilinaʻi i ka papa inoa a kāpae i nā mea hilinaʻi ʻole. ʻO nā mea a pau i koe e hoʻomaka hou i nā nodes proxy reverse me ka hoʻohana ʻana i ke kauoha zmproxyctl restart. Ma hope o ka hoʻomaka hou ʻana, e mana nā hoʻololi i hana ʻia.
Inā ʻaʻole kūpono kēia papa inoa iā ʻoe no kekahi kumu a i ʻole, hiki iā ʻoe ke wehe i kekahi mau ciphers nāwaliwali mai ia mea me ka hoʻohana ʻana i ke kauoha. zmprov mcf +zimbraSSLExcludeCipherSuites. No laila, no ka laʻana, ke kauoha zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, e hoʻopau loa i ka hoʻohana ʻana i nā ciphers RC4. Hiki ke hana like me AES a me 3DES ciphers.
3. Ho'ā i ka HSTS
Pono nō hoʻi nā mīkini i hoʻohana ʻia no ka hoʻopili ʻana i ka hoʻopili ʻana a me ka hoʻihoʻi ʻana o ka manawa TLS e loaʻa i kahi helu kūpono i ka hoʻāʻo ʻo Qualys SSL Labs. No ka hiki iā lākou ke komo i ke kauoha zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Na kēia kauoha e hoʻohui i ke poʻo pono i ka hoʻonohonoho, a no ka hoʻokō ʻana i nā hoʻonohonoho hou e hoʻomaka hou ʻoe iā Zimbra OSE me ka hoʻohana ʻana i ke kauoha. hoʻomaka hou ʻo zmcontrol.
I kēia manawa, e hōʻike ana ka hōʻike mai Qualys SSL Labs i kahi helu A +, akā inā makemake ʻoe e hoʻomaikaʻi hou i ka palekana o kāu kikowaena, aia kekahi mau hana ʻē aʻe āu e hana ai.
No ka laʻana, hiki iā ʻoe ke hoʻohana i ka hoʻopili paʻa ʻana o nā pilina inter-process, a hiki iā ʻoe ke hoʻohana i ka hoʻopili paʻa ʻana i ka wā e hoʻopili ai i nā lawelawe Zimbra OSE. No ka nānā ʻana i nā pilina interprocess, e hoʻokomo i kēia mau kauoha:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueNo ka hoʻohana ʻana i ka hoʻopuna paʻa ʻana, pono ʻoe e komo:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEMahalo i kēia mau kauoha, e hoʻopili ʻia nā pili āpau i nā kikowaena proxy a me nā kikowaena leka uila, a e hoʻopili ʻia kēia mau pilina a pau.
No laila, ma muli o kā mākou mau ʻōlelo aʻoaʻo, ʻaʻole hiki iā ʻoe ke hoʻokō wale i ka helu kiʻekiʻe ma ka hoʻāʻo palekana pili SSL, akā hoʻonui nui hoʻi i ka palekana o ka ʻōnaehana Zimbra OSE holoʻokoʻa.
No nā nīnau a pau e pili ana iā Zextras Suite, hiki iā ʻoe ke kelepona iā Zextras Representative Ekaterina Triandafilidi ma ka leka uila. [pale ʻia ka leka uila]
Source: www.habr.com