Matla a ho kenyelletsa ke e 'ngoe ea matšoao a bohlokoa ka ho fetisisa ha u sebelisa mekhoa ea tlhahisoleseding bakeng sa khoebo, hobane letsatsi le leng le le leng ba ameha ho fetisetsoang ha boitsebiso bo bongata ba lekunutu. Mokhoa o amoheloang ka kakaretso oa ho lekola boleng ba khokahano ea SSL ke teko e ikemetseng ho tsoa ho Qualys SSL Labs. Kaha tlhahlobo ena e ka tsamaisoa ke mang kapa mang, ho bohlokoa haholo hore bafani ba SaaS ba fumane lintlha tse phahameng ka ho fetisisa tekong ena. Ha se bafani ba SaaS feela, empa le likhoebo tse tloaelehileng li tsotella boleng ba khokahano ea SSL. Ho bona, tlhahlobo ena ke monyetla o motle oa ho tseba bofokoli bo ka bang teng le ho koala likheo tsohle tsa linokoane tsa marang-rang esale pele.
Zimbra OSE e lumella mefuta e 'meli ea litifikeiti tsa SSL. Ea pele ke setifikeiti se itekenetseng se eketsoang ka boits'oaro nakong ea ho instola. Setifikeiti sena ha se lefelloe 'me ha se na moeli oa nako, se etsa hore e be se loketseng bakeng sa ho etsa tlhahlobo ea Zimbra OSE kapa ho e sebelisa ka har'a marang-rang a kahare feela. Leha ho le joalo, ha u kena ka har'a sebatli sa marang-rang, basebelisi ba tla bona temoso ho tsoa ho sebatli hore setifikeiti sena ha se tšepahale, 'me seva sa hau se tla hloleha tlhahlobo ho tsoa ho Qualys SSL Labs.
Ea bobeli ke setifikeiti sa SSL sa khoebo se saennoeng ke bolaoli ba setifikeiti. Lisetifikeiti tse joalo li amoheloa habonolo ke libatli 'me hangata li sebelisoa molemong oa khoebo oa Zimbra OSE. Hang ka mor'a ho kenya setifikeiti sa khoebo ka nepo, Zimbra OSE 8.8.15 e bontša lintlha tsa A tlhahlobong e tsoang ho Qualys SSL Labs. Sena ke sephetho se setle haholo, empa sepheo sa rona ke ho fihlela sephetho sa A+.
E le hore u fumane lintlha tse ngata tekong ho tsoa ho Qualys SSL Labs ha u sebelisa Zimbra Collaboration Suite Open-Source Edition, u tlameha ho qeta mehato e mengata:
1. Ho eketsa litekanyetso tsa protocol ea Diffie-Hellman
Ka kamehla, likarolo tsohle tsa Zimbra OSE 8.8.15 tse sebelisang OpenSSL li na le litlhophiso tsa protocol tsa Diffie-Hellman tse behiloeng ho 2048 bits. Ha e le hantle, sena se lekane ho fumana lintlha tsa A+ tekong ho tsoa ho Qualys SSL Labs. Leha ho le joalo, haeba u ntlafatsa ho tloha liphetolelong tsa khale, litlhophiso li ka 'na tsa fokotseha. Ka hona, ho kgothaletswa hore ka mor'a hore ntlafatso e phethoe, tsamaisa taelo zmdhparam set -new 2048, e tla eketsa litekanyetso tsa protocol ea Diffie-Hellman ho li-bits tse amohelehang tsa 2048, 'me haeba u lakatsa, u sebelisa taelo e tšoanang, u ka eketsa. boleng ba litekanyetso ho li-bits tsa 3072 kapa 4096, tseo ka lehlakoreng le leng li tla lebisa ho ho eketseha ha nako ea moloko, empa ka lehlakoreng le leng ho tla ba le phello e ntle boemong ba tšireletso ea seva sa poso.
2. Ho kenyeletsoa lethathamo le khothaletsoang la li-ciphers tse sebelisitsoeng
Ka kamehla, Zimbra Collaborataion Suite Open-Source Edition e ts'ehetsa mefuta e mengata e fapaneng ea li-ciphers tse matla le tse fokolang, tse koahelang data e fetang khokahanyo e sireletsehileng. Leha ho le joalo, tšebeliso ea li-ciphers tse fokolang ke bothata bo boholo ha u hlahloba tšireletso ea khokahano ea SSL. Ho qoba sena, o hloka ho hlophisa lethathamo la li-ciphers tse sebelisitsoeng.
Ho etsa sena, sebelisa taelo zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Taelo ena hang-hang e kenyelletsa sehlopha sa li-ciphers tse khothalelitsoeng mme ka lebaka la eona, taelo e ka kenyelletsa hang-hang li-ciphers tse tšepahalang lethathamong mme ea qhelela ba sa tšepahaleng. Hona joale se setseng ke ho qala bocha li-node tsa proxy ka morao ho sebelisa taelo ea zmproxyctl restart. Kamora ho qala bocha, liphetoho tse entsoeng li tla sebetsa.
Haeba lethathamo lena le sa lumellane le uena ka mabaka a itseng, u ka tlosa li-ciphers tse fokolang ho lona u sebelisa taelo. zmprov mcf +zimbraSSLExcludeCipherSuites. Kahoo, ho etsa mohlala, taelo zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, e tla felisa ka ho feletseng tšebeliso ea RC4 ciphers. Ho ka etsoa se tšoanang ka li-ciphers tsa AES le 3DES.
3. Thusa HSTS
Mekhoa e lumelletsoeng ea ho qobella khokahanyo ea khokahanyo le ho hlaphoheloa ha nako ea TLS le eona ea hlokahala ho fumana lintlha tse phethahetseng tlhahlobong ea Qualys SSL Labs. Ho li nolofalletsa o tlameha ho kenya taelo zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Taelo ena e tla eketsa hlooho e hlokahalang ho tlhophiso, 'me hore litlhophiso tse ncha li sebetse u tla tlameha ho qala Zimbra OSE u sebelisa taelo. zmcontrol qala hape.
E se e ntse e le sethaleng sena, tlhahlobo e tsoang ho Qualys SSL Labs e tla bontša tekanyo ea A +, empa haeba u batla ho ntlafatsa ts'ireletso ea seva sa hau, ho na le mehato e meng e mengata eo u ka e nkang.
Mohlala, o ka nolofalletsa encryption e qobelloang ea likhokahano tsa li-inter-process, hape o ka nolofalletsa encryption e qobelloang ha o hokela lits'ebeletso tsa Zimbra OSE. Ho hlahloba likhokahano tsa li-interprocess, kenya litaelo tse latelang:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueHo nolofalletsa encryption e qobelloang o hloka ho kenya:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEKa lebaka la litaelo tsena, likhokahano tsohle tsa li-server tsa proxy le li-server tsa mangolo li tla ngolisoa, 'me likhokahano tsena kaofela li tla etsoa ka li-proxy.
Kahoo, ho latela litlhahiso tsa rona, u ke ke ua fumana lintlha tse phahameng ka ho fetisisa tekong ea ts'ireletso ea khokahanyo ea SSL, empa hape u eketsa haholo ts'ireletso ea lisebelisoa tsohle tsa Zimbra OSE.
Bakeng sa lipotso tsohle tse amanang le Zextras Suite, o ka ikopanya le Moemeli oa Zextras Ekaterina Triandafilidi ka imeile [imeile e sirelelitsoe]
Source: www.habr.com