ProHoster > Ibhulogi > Ulawulo > Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Amandla e-encryption yenye yezona zibonakaliso ezibalulekileyo xa usebenzisa iinkqubo zolwazi kwishishini, kuba yonke imihla babandakanyeka ekudluliseleni isixa esikhulu solwazi oluyimfihlo. Indlela eyamkelekileyo ngokubanzi yokuvavanya umgangatho woqhagamshelwano lwe-SSL luvavanyo oluzimeleyo oluvela kwi-Qualys SSL Labs. Ekubeni olu vavanyo lunokuqhuba nabani na, kubaluleke kakhulu ukuba ababoneleli be-SaaS bafumane awona manqaku aphezulu kolu vavanyo. Akunjalo kuphela ababoneleli be-SaaS, kodwa kunye namashishini aqhelekileyo akhathalele umgangatho woqhagamshelwano lwe-SSL. Kubo, olu vavanyo lithuba elihle kakhulu lokuchonga ubuthathaka obunokubakho kwaye uvale zonke iindawo ezivulekileyo zabenzi bobuchwephesha be-cyber kwangaphambili.

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition
I-Zimbra OSE ivumela iindidi ezimbini zezatifikethi ze-SSL. Eyokuqala sisatifikethi esizisayinileyo esongezelelwa ngokuzenzekelayo ngexesha lofakelo. Esi satifikethi sisimahla kwaye asinamda wexesha, siyenza ilungele ukuvavanya iZimbra OSE okanye ukuyisebenzisa kuphela ngaphakathi kwinethiwekhi yangaphakathi. Nangona kunjalo, xa ungena kumxhasi wewebhu, abasebenzisi baya kubona isilumkiso esivela kwisikhangeli sokuba esi satifikethi asithenjwa, kwaye umncedisi wakho ngokuqinisekileyo uya kusilela kuvavanyo olusuka kwi-Qualys SSL Labs.

Okwesibini sisatifikethi se-SSL sorhwebo esisayinwe ngugunyaziwe wesatifikethi. Izatifikethi ezinjalo zamkelwa ngokulula ngabakhangeli kwaye ziqhele ukusetyenziselwa urhwebo lweZimbra OSE. Ngokukhawuleza emva kofakelo oluchanekileyo lwesatifikethi sorhwebo, i-Zimbra OSE 8.8.15 ibonisa amanqaku A kuvavanyo oluvela kwi-Qualys SSL Labs. Esi sisiphumo esihle kakhulu, kodwa injongo yethu kukufumana umphumo we-A +.

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Ukuze ufumane awona manqaku aphezulu kuvavanyo olusuka kwiiLabhu zeQualys SSL xa usebenzisa iZimbra Collaboration Suite Open-Source Edition, kufuneka ugcwalise inani lamanyathelo:

1. Ukwandisa iiparamitha zeDiffie-Hellman protocol

Ngokungagqibekanga, zonke iinxalenye zeZimbra OSE 8.8.15 ezisebenzisa i-OpenSSL zinesetingi zeprotocol zeDiffie-Hellman ezibekwe kwi-2048 bits. Ngokomgaqo, oku kungaphezulu kokwaneleyo ukufumana inqaku le-A + kuvavanyo olusuka kwi-Qualys SSL Labs. Nangona kunjalo, ukuba uphucula ukusuka kwiinguqulelo ezindala, useto lunokuba lusezantsi. Ngoko ke, kucetyiswa ukuba emva kokuba uhlaziyo lugqityiwe, sebenzisa umyalelo zmdhparam set -new 2048, eya kwandisa imilinganiselo ye-protocol ye-Diffie-Hellman kwi-bits ye-2048 eyamkelekileyo, kwaye ukuba unqwenela, usebenzisa umyalelo ofanayo, unokwandisa. ixabiso leeparamitha ukuya kwi-3072 okanye kwi-4096 bits, nto leyo kwelinye icala iya kukhokelela ekunyuseni kwexesha lesizukulwana, kodwa kwelinye icala liya kuba nefuthe elihle kwinqanaba lokhuseleko lomncedisi weposi.

2. Kubandakanya uluhlu olucetyiswayo lwee-ciphers ezisetyenzisiweyo

Ngokungagqibekanga, iZimbra Collaborataion Suite Open-Source Edition ixhasa uluhlu olubanzi lwee-ciphers ezinamandla nezibuthathaka, ezifihla idatha edlula kunxibelelwano olukhuselekileyo. Nangona kunjalo, ukusetyenziswa kwee-ciphers ezibuthathaka kuyingxaki enkulu xa ujonga ukhuseleko loqhagamshelwano lwe-SSL. Ukuze ugweme oku, kufuneka uqwalasele uluhlu lwee-ciphers ezisetyenzisiweyo.

Ukwenza oku, sebenzisa umyalelo zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

Lo myalelo ngokukhawuleza uquka iseti yee-ciphers ezicetyiswayo kwaye ngenxa yoko, umyalelo unokubandakanya ngokukhawuleza ii-ciphers ezithembekileyo kuluhlu kwaye ungabandakanyi abangathembekanga. Ngoku ekuphela kwento eseleyo kukuqalisa kwakhona ii-node ze-proxy ezibuyela umva usebenzisa i-zmproxyctl yokuqalisa kwakhona umyalelo. Emva kokuqalisa kwakhona, utshintsho olwenziweyo luya kusebenza.

Ukuba olu luhlu alukufanelanga ngenxa yesizathu esinye okanye esinye, ungasusa inani lee-ciphers ezibuthathaka kulo usebenzisa umyalelo zmprov mcf +zimbraSSLExcludeCipherSuites. Ngoko, umzekelo, umyalelo zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, eya kuphelisa ngokupheleleyo ukusetyenziswa kwe-RC4 ciphers. Okufanayo kunokwenziwa nge-AES kunye ne-3DES ciphers.

3. Yenza i-HSTS isebenze

Iindlela ezinikwe amandla zokunyanzela ukubethelwa koqhagamshelwano kunye nokubuyiswa kweseshoni ye-TLS nazo ziyafuneka ukuze kuphunyezwe amanqaku agqibeleleyo kuvavanyo lwe-Qualys SSL Labs. Ukwenza ukuba zisebenze, kufuneka ufake umyalelo zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Lo myalelo uyakongeza iheader eyimfuneko kuqwalaselo, kwaye ukwenzela ukuba izicwangciso ezintsha zithathe isiphumo kuya kufuneka uqalise kwakhona iZimbra OSE usebenzisa umyalelo. zmcontrol qala kwakhona.

Sele kweli nqanaba, uvavanyo oluvela kwi-Qualys SSL Labs luya kubonisa ukulinganisa kwe-A +, kodwa ukuba ufuna ukuqhubela phambili ukuphucula ukhuseleko lomncedisi wakho, kukho amanye amanyathelo onokuwathatha.

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Umzekelo, ungenza uguqulelo oluntsonkothileyo olunyanzelweyo loqhakamshelwano lwenkqubo phakathi, kwaye unokwenza ufihlo olunyanzelweyo xa uqhagamshela kwiinkonzo zeZimbra OSE. Ukujonga imidibaniso yonxibelelwano, ngenisa le miyalelo ilandelayo:

zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=true

Ukwenza uguqulelo oluntsonkothileyo olunyanzelweyo, ngenisa:

zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https

zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https

zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUE

Enkosi kule miyalelo, lonke uqhagamshelo kwiiseva zommeli kunye neeseva zemeyile ziya kuguqulelwa ngokuntsonkothileyo, kwaye zonke ezi zidibaniso ziyakwenziwa njengommeli.

Ukuphucula useto lokhuseleko loqhagamshelwano lwe-SSL kwi-Zimbra Collaboration Suite Open-Source Edition

Ngaloo ndlela, ngokulandela iingcebiso zethu, awukwazi ukufikelela kuphela kumanqaku aphezulu kwi-SSL yokuvavanya ukhuseleko loxhulumaniso, kodwa ukwandise kakhulu ukhuseleko lweziseko zeZimbra OSE.

Kuyo yonke imibuzo enxulumene neZextras Suite, ungaqhagamshelana noMmeli weZextras Ekaterina Triandafilidi nge-imeyile [imeyile ikhuselwe]

umthombo: www.habr.com

Yongeza izimvo