Agbara fifi ẹnọ kọ nkan jẹ ọkan ninu awọn itọkasi pataki julọ nigba lilo awọn eto alaye fun iṣowo, nitori ni gbogbo ọjọ wọn ni ipa ninu gbigbe iye nla ti alaye asiri. Ọna ti o gba gbogbogbo ti iṣiro didara asopọ SSL jẹ idanwo ominira lati Qualys SSL Labs. Niwọn igba ti idanwo yii le jẹ ṣiṣe nipasẹ ẹnikẹni, o ṣe pataki paapaa fun awọn olupese SaaS lati gba Dimegilio ti o ga julọ ti o ṣeeṣe lori idanwo yii. Kii ṣe awọn olupese SaaS nikan, ṣugbọn tun awọn ile-iṣẹ lasan bikita nipa didara asopọ SSL. Fun wọn, idanwo yii jẹ aye ti o tayọ lati ṣe idanimọ awọn ailagbara ti o pọju ati pa gbogbo awọn loopholes fun awọn ọdaràn cyber ni ilosiwaju.
Zimbra OSE gba awọn iru meji ti awọn iwe-ẹri SSL laaye. Akọkọ jẹ ijẹrisi ti o fowo si ara ẹni ti o ṣafikun laifọwọyi lakoko fifi sori ẹrọ. Ijẹrisi yii jẹ ọfẹ ati pe ko ni opin akoko, ti o jẹ apẹrẹ fun idanwo Zimbra OSE tabi lilo ni iyasọtọ laarin nẹtiwọọki inu. Bibẹẹkọ, nigbati o ba wọle si alabara wẹẹbu, awọn olumulo yoo rii ikilọ kan lati ẹrọ aṣawakiri naa pe ijẹrisi yii ko ni igbẹkẹle, ati pe olupin rẹ yoo dajudaju kuna idanwo naa lati Qualys SSL Labs.
Ekeji jẹ ijẹrisi SSL ti iṣowo ti o fowo si nipasẹ aṣẹ ijẹrisi kan. Iru awọn iwe-ẹri bẹ ni irọrun gba nipasẹ awọn aṣawakiri ati pe a maa n lo fun lilo iṣowo ti Zimbra OSE. Lẹsẹkẹsẹ lẹhin fifi sori ẹrọ deede ti ijẹrisi iṣowo, Zimbra OSE 8.8.15 fihan Dimegilio A kan ninu idanwo lati Qualys SSL Labs. Eyi jẹ abajade ti o tayọ, ṣugbọn ibi-afẹde wa ni lati ṣaṣeyọri abajade A+ kan.
Lati le ṣaṣeyọri Dimegilio ti o pọju ninu idanwo lati Qualys SSL Labs nigba lilo Zimbra Collaboration Suite Open-Source Edition, o gbọdọ pari nọmba awọn igbesẹ:
1. Npo si awọn paramita ti Ilana Diffie-Hellman
Nipa aiyipada, gbogbo awọn paati Zimbra OSE 8.8.15 ti o lo OpenSSL ni awọn eto ilana ilana Diffie-Hellman ṣeto si awọn bit 2048. Ni opo, eyi jẹ diẹ sii ju to lati gba Dimegilio A+ ninu idanwo lati Qualys SSL Labs. Sibẹsibẹ, ti o ba n ṣe igbesoke lati awọn ẹya agbalagba, awọn eto le jẹ kekere. Nitorinaa, a ṣe iṣeduro pe lẹhin imudojuiwọn naa ti pari, ṣiṣe aṣẹ zmdhparam ṣeto -new 2048, eyiti yoo mu awọn aye ti ilana Diffie-Hellman pọ si awọn iwọn 2048 itẹwọgba, ati bi o ba fẹ, lilo aṣẹ kanna, o le pọ si. iye ti awọn paramita si 3072 tabi 4096 bits, eyiti o jẹ ni apa kan yoo yorisi ilosoke akoko iran, ṣugbọn ni apa keji yoo ni ipa rere lori ipele aabo ti olupin meeli.
2. Pẹlu atokọ ti a ṣeduro ti awọn apamọ ti a lo
Nipa aiyipada, Zimbra Collaborataion Suite Open-Source Edition ṣe atilẹyin fun ọpọlọpọ awọn alamọra ti o lagbara ati alailagbara, eyiti o fi data pamọ ti o kọja lori asopọ to ni aabo. Sibẹsibẹ, lilo awọn ciphers alailagbara jẹ aila-nfani pataki nigbati o n ṣayẹwo aabo asopọ SSL kan. Lati yago fun eyi, o nilo lati tunto atokọ ti awọn apamọ ti a lo.
Lati ṣe eyi, lo aṣẹ naa zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Aṣẹ yii lesekese pẹlu ṣeto ti awọn apamọ ti a ṣeduro ati ọpẹ si rẹ, aṣẹ le lẹsẹkẹsẹ pẹlu awọn ciphers ti o gbẹkẹle ninu atokọ naa ki o yọkuro awọn ti ko ni igbẹkẹle. Bayi gbogbo ohun ti o ku ni lati tun bẹrẹ awọn apa aṣoju yiyipada nipa lilo aṣẹ atunbẹrẹ zmproxyctl. Lẹhin atunbere, awọn ayipada ti a ṣe yoo ni ipa.
Ti atokọ yii ko ba ọ baamu fun idi kan tabi omiiran, o le yọ nọmba kan ti awọn alailagbara kuro ninu rẹ nipa lilo aṣẹ zmprov mcf +zimbraSSLExcludeCipherSuites. Nitorinaa, fun apẹẹrẹ, aṣẹ naa zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, eyi ti yoo mu kuro patapata lilo ti RC4 ciphers. Bakanna le ṣee ṣe pẹlu AES ati 3DES ciphers.
3. Mu HSTS ṣiṣẹ
Awọn ọna ṣiṣe lati fi ipa mu fifi ẹnọ kọ nkan asopọ ati imularada igba TLS tun nilo lati ṣaṣeyọri Dimegilio pipe kan ninu idanwo Qualys SSL Labs. Lati mu wọn ṣiṣẹ o gbọdọ tẹ aṣẹ sii zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Aṣẹ yii yoo ṣafikun akọsori pataki si iṣeto, ati fun awọn eto tuntun lati mu ipa iwọ yoo ni lati tun Zimbra OSE bẹrẹ nipa lilo aṣẹ naa. zmcontrol tun bẹrẹ.
Tẹlẹ ni ipele yii, idanwo lati Qualys SSL Labs yoo ṣe afihan iwọn A + kan, ṣugbọn ti o ba fẹ lati mu ilọsiwaju aabo olupin rẹ pọ si, nọmba awọn igbese miiran wa ti o le mu.
Fun apẹẹrẹ, o le mu fifi ẹnọ kọ nkan ti awọn ọna asopọ laarin ilana ṣiṣẹ, ati pe o tun le mu fifi ẹnọ kọ nkan ti o fi agbara mu ṣiṣẹ nigbati o ba sopọ si awọn iṣẹ Zimbra OSE. Lati ṣayẹwo awọn isopọ laarin ilana, tẹ awọn aṣẹ wọnyi sii:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueLati mu fifi ẹnọ kọ nkan ṣiṣẹ o nilo lati tẹ sii:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEṢeun si awọn aṣẹ wọnyi, gbogbo awọn asopọ si awọn olupin aṣoju ati awọn olupin meeli yoo jẹ ti paroko, ati pe gbogbo awọn asopọ wọnyi yoo jẹ aṣoju.
Nitorinaa, ni atẹle awọn iṣeduro wa, o ko le ṣaṣeyọri Dimegilio ti o ga julọ nikan ni idanwo aabo asopọ SSL, ṣugbọn tun ṣe alekun aabo ti gbogbo awọn amayederun Zimbra OSE.
Fun gbogbo awọn ibeere ti o jọmọ Zextras Suite, o le kan si Aṣoju Zextras Ekaterina Triandafilidi nipasẹ imeeli [imeeli ni idaabobo]
orisun: www.habr.com