Mphamvu ya kubisa ndi chimodzi mwa zizindikiro zofunika kwambiri pogwiritsira ntchito machitidwe a chidziwitso kwa bizinesi, chifukwa tsiku lililonse iwo akugwira nawo ntchito yotumiza zambiri zachinsinsi. Njira yovomerezeka yowunika mtundu wa kulumikizana kwa SSL ndi kuyesa kodziyimira pawokha kuchokera ku Qualys SSL Labs. Popeza kuti mayesowa amatha kuyendetsedwa ndi aliyense, ndikofunikira kwambiri kuti opereka SaaS apeze chiwongolero chapamwamba kwambiri pa mayesowa. Osati opereka a SaaS okha, komanso mabizinesi wamba amasamala za mtundu wa kulumikizana kwa SSL. Kwa iwo, mayesowa ndi mwayi wabwino kwambiri wodziwira ziwopsezo zomwe zingachitike ndikutseka zigawenga zonse pasadakhale.
Zimbra OSE imalola mitundu iwiri ya ziphaso za SSL. Choyamba ndi satifiketi yodzilembera yokha yomwe imawonjezedwa panthawi yoyika. Satifiketiyi ndi yaulere ndipo ilibe malire a nthawi, ndikupangitsa kuti ikhale yabwino kuyesa Zimbra OSE kapena kuigwiritsa ntchito mkati mwa netiweki yamkati yokha. Komabe, mukalowa muakasitomala wapaintaneti, ogwiritsa ntchito awona chenjezo kuchokera kwa osatsegula kuti satifiketi iyi ndi yosadalirika, ndipo seva yanu idzalephera mayeso kuchokera ku Qualys SSL Labs.
Chachiwiri ndi satifiketi ya SSL yamalonda yosainidwa ndi oyang'anira certification. Satifiketi zotere zimalandiridwa mosavuta ndi asakatuli ndipo nthawi zambiri zimagwiritsidwa ntchito pamalonda a Zimbra OSE. Kukhazikitsa kolondola kwa satifiketi yazamalonda, Zimbra OSE 8.8.15 ikuwonetsa A muyeso kuchokera ku Qualys SSL Labs. Izi ndi zotsatira zabwino kwambiri, koma cholinga chathu ndikukwaniritsa zotsatira za A +.
Kuti mukwaniritse zotsatira zapamwamba pamayeso kuchokera ku Qualys SSL Labs mukamagwiritsa ntchito Zimbra Collaboration Suite Open-Source Edition, muyenera kumaliza zingapo:
1. Kuchulukitsa magawo a Diffie-Hellman protocol
Mwachikhazikitso, zigawo zonse za Zimbra OSE 8.8.15 zomwe zimagwiritsa ntchito OpenSSL zili ndi zoikamo za Diffie-Hellman protocol zokhazikitsidwa ku 2048 bits. M'malo mwake, izi ndizokwanira kupeza A + pamayeso kuchokera ku Qualys SSL Labs. Komabe, ngati mukukweza kuchokera kumitundu yakale, zokonda zitha kukhala zotsika. Choncho, tikulimbikitsidwa kuti zosinthazo zikamalizidwa, yendetsani lamulo la zmdhparam set -new 2048, lomwe lidzawonjezera magawo a Diffie-Hellman protocol ku ma bits 2048 ovomerezeka, ndipo ngati mukufuna, pogwiritsa ntchito lamulo lomwelo, mukhoza kuwonjezera. mtengo wa magawo ku 3072 kapena 4096 bits, zomwe kumbali imodzi zidzatsogolera ku nthawi yowonjezereka, koma kumbali inayo zidzakhala ndi zotsatira zabwino pa mlingo wa chitetezo cha seva yamakalata.
2. Kuphatikizapo mndandanda wa zilembo zovomerezeka zogwiritsidwa ntchito
Mwachikhazikitso, Zimbra Collaborataion Suite Open-Source Edition imathandizira ma ciphers osiyanasiyana amphamvu ndi ofooka, omwe amabisa deta yodutsa pa intaneti yotetezeka. Komabe, kugwiritsa ntchito ma ciphers ofooka ndizovuta kwambiri mukamayang'ana chitetezo cha kulumikizana kwa SSL. Kuti mupewe izi, muyenera kukonza mndandanda wa ma ciphers omwe amagwiritsidwa ntchito.
Kuti muchite izi, gwiritsani ntchito lamulo zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Lamuloli nthawi yomweyo limaphatikizapo ma ciphers ovomerezeka ndipo chifukwa chake, lamuloli limatha kuphatikiza zilembo zodalirika pamndandanda ndikupatula osadalirika. Tsopano zomwe zatsala ndikuyambitsanso ma proxy node pogwiritsa ntchito zmproxyctl restart command. Pambuyo poyambitsanso, zosintha zomwe zachitika zidzagwira ntchito.
Ngati mndandandawu sukugwirizana ndi inu pazifukwa zina, mutha kuchotsa ma ciphers angapo ofooka pogwiritsa ntchito lamulo. zmprov mcf +zimbraSSLExcludeCipherSuites. Kotero, mwachitsanzo, lamulo zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, zomwe zidzathetseratu kugwiritsa ntchito RC4 ciphers. Zomwezo zitha kuchitika ndi AES ndi 3DES ciphers.
3. Yambitsani HSTS
Njira zoyatsira zokakamiza kubisa kolumikizana ndi kuchira kwa gawo la TLS ndizofunikiranso kuti mukwaniritse bwino pamayeso a Qualys SSL Labs. Kuti athe iwo muyenera kulowa lamulo zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Lamuloli liwonjezera mutu wofunikira pakukonzekera, ndipo kuti zosintha zatsopano zichitike muyenera kuyambitsanso Zimbra OSE pogwiritsa ntchito lamulo. zmcontrol kuyambanso.
Pakali pano, kuyesa kuchokera ku Qualys SSL Labs kudzawonetsa mlingo wa A +, koma ngati mukufuna kupititsa patsogolo chitetezo cha seva yanu, pali njira zina zomwe mungatenge.
Mwachitsanzo, mutha kuloleza kubisa kokakamiza kwamalumikizidwe apakati, komanso mutha kuletsa kubisa mokakamizidwa mukalumikizana ndi ntchito za Zimbra OSE. Kuti muwone kulumikizana kwa interprocess, lowetsani malamulo awa:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueKuti mutsegule kubisa kokakamizidwa muyenera kulowa:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEChifukwa cha malamulowa, maulalo onse ku maseva a proxy ndi maseva a makalata adzasungidwa mwachinsinsi, ndipo malumikizidwe onsewa adzakhala a proxy.
Chifukwa chake, kutsatira malingaliro athu, simungangopeza zotsatira zapamwamba kwambiri pamayeso okhudzana ndi chitetezo cha SSL, komanso kukulitsa chitetezo chazinthu zonse za Zimbra OSE.
Pamafunso onse okhudzana ndi Zextras Suite, mutha kulumikizana ndi Woimira Zextras Ekaterina Triandafilidi ndi imelo. [imelo ndiotetezedwa]
Source: www.habr.com