Awoodda sirta ah waa mid ka mid ah tilmaamayaasha ugu muhiimsan marka la isticmaalayo hababka macluumaadka ee ganacsiga, sababtoo ah maalin kasta waxay ku lug leeyihiin wareejinta xog aad u badan oo qarsoodi ah. Habka guud ee la aqbalay ee lagu qiimaynayo tayada xidhiidhka SSL waa imtixaan madax banaan oo ka socda Qualys SSL Labs. Maadaama baaritaankan uu qof kasta maamuli karo, waxaa si gaar ah muhiim u ah bixiyeyaasha SaaS si ay u helaan natiijada ugu sarreysa ee suurtogalka ah ee imtixaankan. Ma aha oo kaliya bixiyeyaasha SaaS, laakiin sidoo kale shirkadaha caadiga ah waxay daryeelaan tayada xiriirka SSL. Iyaga, tijaabadani waxay u tahay fursad aad u fiican oo lagu garto dayacanka suurtagalka ah iyo in la xidho dhammaan daldaloolada dembiilayaasha internetka ka hor.
Zimbra OSE waxay ogolaataa laba nooc oo shahaadooyin SSL ah. Midda koowaad waa shahaado iskiis u saxiixday oo si toos ah loogu daro inta lagu jiro rakibidda. Shahaadadani waa lacag la'aan mana lahan waqti xadidan, taasoo ka dhigaysa mid ku haboon in la tijaabiyo Zimbra OSE ama loo isticmaalo si gaar ah shabakada gudaha. Si kastaba ha ahaatee, marka la galo macmiilka shabakada, isticmaalayaashu waxay arki doonaan digniin ka socota browserka in shahaadadan aan la aamini karin, iyo server-kaagu hubaal wuu ku guuldareysan doonaa imtixaanka Qualys SSL Labs.
Midda labaad waa shahaado SSL ganacsi oo ay saxeexday hay'ad caddaynaysa. Shahaadooyinka noocaan ah waxaa si sahal ah u aqbala daalacashada waxaana badanaa loo isticmaalaa isticmaalka ganacsi ee Zimbra OSE. Isla markiiba ka dib rakibidda saxda ah ee shahaadada ganacsiga, Zimbra OSE 8.8.15 waxay muujinaysaa dhibcaha A ee imtixaanka Qualys SSL Labs. Tani waa natiijo aad u fiican, laakiin yoolkeenu waa inaan gaadhno natiijo A+ ah.
Si loo gaaro buundada ugu badan ee imtixaanka ee Qualys SSL Labs marka la isticmaalayo Zimbra Collaboration Suite Open-Source Edition, waa inaad buuxisaa tillaabooyin dhowr ah:
1. Kordhinta xuduudaha nidaamka Diffie-Hellman
Sida caadiga ah, dhammaan qaybaha Zimbra OSE 8.8.15 ee adeegsada OpenSSL waxay leeyihiin dejimaha borotokoolka Diffie-Hellman oo loo dejiyay 2048 bits. Mabda 'ahaan, tani way ka badan tahay in lagu helo dhibcaha A+ imtixaanka Qualys SSL Labs. Si kastaba ha noqotee, haddii aad ka cusboonaysiinayso noocyadii hore, dejinta ayaa laga yaabaa inay hooseeyso. Sidaa darteed, waxaa lagu talinayaa in ka dib markii update la dhammeeyo, ordo amarka zmdhparam set -new 2048, kaas oo kordhin doona xuduudaha nidaamka Diffie-Hellman ilaa 2048-bits la aqbali karo, iyo haddii la doonayo, adigoo isticmaalaya amar isku mid ah, waxaad kordhin kartaa. Qiimaha cabbirada 3072 ama 4096 bits, taas oo dhinaca kale u horseedi doonta korodhka wakhtiga jiilka, laakiin dhinaca kale waxay saameyn togan ku yeelan doontaa heerka amniga ee server-ka boostada.
2. Oo ay ku jiraan liiska lagu taliyay ee sifaarka la isticmaalay
Sida caadiga ah, Zimbra Collaborataion Suite Edition Open-Source Edition waxa ay taageertaa tiro balaadhan oo ah xarafyo adag oo daciif ah, kuwaas oo sir xogta ka gudbaysa xidhiidh sugan. Si kastaba ha ahaatee, isticmaalka ciphers daciifka ah waa khasaare aad u daran marka la hubinayo amniga xiriirka SSL. Si aad taas uga fogaato, waxaad u baahan tahay inaad habayso liiska xarfaha la isticmaalay.
Si tan loo sameeyo, isticmaal amarka zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Amarkan isla markaaba waxa ku jira qaybo lagu taliyey oo mahad leh, amarku waxa uu isla markiiba ku dari karaa sifooyin la isku halayn karo oo liiska ka saaraya kuwa aan la isku halayn karin. Hadda waxa kaliya ee hadhsan waa in dib loo bilaabo nodes-ka wakiilnimada iyada oo la adeegsanayo amarka dib u bilaabida zmproxyctl. Dib-u-billow ka dib, isbeddelada la sameeyay ayaa dhaqan geli doona.
Haddii liiskani aanu kugu habboonayn hal sabab ama mid kale, waxaad ka saari kartaa tiro sifooyin daciif ah adoo isticmaalaya amarka zmprov mcf +zimbraSSLExcludeCipherSuites. Marka, tusaale ahaan, amarka zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, kaas oo gabi ahaanba meesha ka saari doona isticmaalka garaafyada RC4. Isla sidaas oo kale ayaa lagu samayn karaa AES iyo 3DES ciphers.
3. Daar HSTS
Hababka karti u leh ee lagu qasbi karo sirta isku xidhka iyo soo kabashada fadhiga TLS ayaa sidoo kale looga baahan yahay si loo gaadho dhibco kaamil ah imtixaanka Qualys SSL Labs. Si aad awood ugu yeelatid waa inaad gelisaa amarka zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Amarkani wuxuu ku dari doonaa madaxa lagama maarmaanka ah qaabeynta, iyo si ay u dhaqan galiyaan goobaha cusub waa inaad dib u bilowdo Zimbra OSE adoo isticmaalaya amarka zmcontrol dib u bilow.
Durba marxaladan, imtixaanka Qualys SSL Labs wuxuu muujin doonaa qiimeynta A+, laakiin haddii aad rabto inaad sii wanaajiso amniga serverkaaga, waxaa jira dhowr tillaabo oo kale oo aad qaadi karto.
Tusaale ahaan, waxaad awood u siin kartaa sirta qasabka ah ee isku xirka geeddi-socodyada dhexmara, sidoo kale waxaad awood u yeelan kartaa sirta khasabka ah marka aad ku xireyso adeegyada Zimbra OSE. Si aad u hubiso isku xidhka hab-socodka, geli amarrada soo socda:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueSi aad awood ugu yeelato sirta khasabka ah waxaad u baahan tahay inaad geliso:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEWaad ku mahadsan tahay amarradan, dhammaan isku xirka server-yada wakiillada iyo server-yada boostada waa la sir doonan doonaa, dhammaan xiriiradaasna waa la sir doonan doonaa.
Markaa, adoo raacaya talooyinkayaga, kaliya ma gaadhi kartid dhibcaha ugu sarreeya ee imtixaanka amniga isku xirka SSL, laakiin sidoo kale si weyn u kordhin kara amniga dhammaan kaabayaasha Zimbra OSE.
Dhammaan su'aalaha la xiriira Zextras Suite, waxaad kula xiriiri kartaa wakiilka Zextras Ekaterina Triandafilidi e-mail [emailka waa la ilaaliyay]
Source: www.habr.com