Amandla okubethela angenye yezinkomba ezibaluleke kakhulu lapho usebenzisa izinhlelo zolwazi zebhizinisi, ngoba nsuku zonke zihilelekile ekudlulisweni kwenani elikhulu lolwazi oluyimfihlo. Indlela eyamukelwa ngokuvamile yokuhlola ikhwalithi yoxhumo lwe-SSL isivivinyo esizimele esivela kuma-Qualys SSL Labs. Njengoba lokhu kuhlolwa kungenziwa yinoma ubani, kubaluleke kakhulu ukuthi abahlinzeki be-SaaS bathole amaphuzu aphezulu kakhulu kulokhu kuhlolwa. Akubona abahlinzeki be-SaaS kuphela, kodwa futhi namabhizinisi ajwayelekile anendaba nekhwalithi yoxhumo lwe-SSL. Kubo, lokhu kuhlola kuyithuba elihle kakhulu lokuhlonza ubungozi obungaba khona nokuvala zonke izintuba zezigebengu ze-inthanethi kusenesikhathi.
I-Zimbra OSE ivumela izinhlobo ezimbili zezitifiketi ze-SSL. Esokuqala yisitifiketi esizisayinise sona esifakwa ngokuzenzakalela ngesikhathi sokufakwa. Lesi sitifiketi simahhala futhi asinamkhawulo wesikhathi, okusenza sifaneleke ukuhlola i-Zimbra OSE noma ukuyisebenzisa kuphela ngaphakathi kwenethiwekhi yangaphakathi. Kodwa-ke, lapho bengena eklayentini lewebhu, abasebenzisi bazobona isexwayiso esivela esipheqululini sokuthi lesi sitifiketi asithenjwa, futhi iseva yakho izofeyila nakanjani ukuhlolwa okuvela kuma-Qualys SSL Labs.
Okwesibili yisitifiketi se-SSL sokuhweba esisayinwe isiphathimandla sokunikeza izitifiketi. Izitifiketi ezinjalo zamukelwa kalula iziphequluli futhi ngokuvamile zisetshenziselwa ukusetshenziswa kwezentengiso kwe-Zimbra OSE. Ngokushesha ngemva kokufakwa okufanele kwesitifiketi sokuhweba, i-Zimbra OSE 8.8.15 ibonisa amaphuzu A ekuhlolweni okuvela kuma-Qualys SSL Labs. Lona umphumela omuhle kakhulu, kodwa inhloso yethu ukuzuza umphumela ongu-A+.
Ukuze uzuze amaphuzu aphezulu esivivinyweni esivela ku-Qualys SSL Labs uma usebenzisa i-Zimbra Collaboration Suite Open-Source Edition, kufanele ugcwalise inani lezinyathelo:
1. Ukwandisa amapharamitha wephrothokholi ye-Diffie-Hellman
Ngokuzenzakalelayo, zonke izingxenye ze-Zimbra OSE 8.8.15 ezisebenzisa i-OpenSSL zinezilungiselelo zephrothokholi ye-Diffie-Hellman ezisethwe ukuze zibe yi-2048 bits. Empeleni, lokhu kungaphezu kokwanele ukuthola amaphuzu angu-A+ esivivinyweni esivela kuma-Qualys SSL Labs. Nokho, uma uthuthukela ezinguqulweni ezindala, izilungiselelo zingase zibe phansi. Ngakho-ke, kunconywa ukuthi ngemva kokuqedwa kokubuyekezwa, sebenzisa umyalo zmdhparam set -new 2048, ozokwandisa imingcele ye-protocol ye-Diffie-Hellman kuma-bits angu-2048 eyamukelekayo, futhi uma uthanda, usebenzisa umyalo ofanayo, ungakwazi ukwandisa inani lamapharamitha ku-3072 noma i-4096 bits, okuzoholela ekukhuleni kwesikhathi sokukhiqiza, kodwa ngakolunye uhlangothi kuzoba nomthelela omuhle ezingeni lokuphepha leseva yemeyili.
2. Kubandakanya uhlu olunconyiwe lwama-ciphers asetshenzisiwe
Ngokuzenzakalelayo, i-Zimbra Collaborataion Suite Open-Source Edition isekela uhla olubanzi lwama-cipher aqinile futhi abuthaka, abethela idatha edlula kuxhumano oluvikelekile. Kodwa-ke, ukusetshenziswa kwama-ciphers abuthakathaka kuwububi obukhulu lapho kuhlolwa ukuphepha koxhumano lwe-SSL. Ukuze ugweme lokhu, udinga ukulungisa uhlu lwama-ciphers asetshenzisiwe.
Ukuze wenze lokhu, sebenzisa umyalo zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Lo myalo ngokushesha uhlanganisa isethi yama-cipher anconyiwe futhi ngenxa yawo, umyalo ungafaka ngokushesha ama-cipher athembekile ohlwini futhi ukhiphe lawo angathembekile. Manje okusele ukuqala kabusha ama-proxy node abuyela emuva usebenzisa umyalo wokuqalisa kabusha we-zmproxyctl. Ngemva kokuqalisa kabusha, izinguquko ezenziwe zizoqala ukusebenza.
Uma lolu hlu lungakufanelanga ngesizathu esisodwa noma esinye, ungasusa izinombolo ezibuthakathaka kulo usebenzisa umyalo. zmprov mcf +zimbraSSLExcludeCipherSuites. Ngakho, isibonelo, umyalo zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, okuzoqeda ngokuphelele ukusetshenziswa kwe-RC4 ciphers. Okufanayo kungenziwa ngamaciphe we-AES kanye ne-3DES.
3. Nika amandla i-HSTS
Izindlela ezinikwe amandla zokuphoqelela ukubethela kokuxhumeka kanye nokutholwa kweseshini ye-TLS nakho kuyadingeka ukuze kuzuzwe amaphuzu aphelele kuhlolo lwe-Qualys SSL Labs. Ukuze uzinike amandla kufanele ufake umyalo zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". Lo myalo uzokwengeza unhlokweni odingekayo ekucushweni, futhi ukuze izilungiselelo ezintsha zisebenze kuzodingeka ukuthi uqale kabusha i-Zimbra OSE usebenzisa umyalo. zmcontrol qala kabusha.
Kakade kulesi sigaba, ukuhlolwa okuvela kuma-Qualys SSL Labs kuzobonisa isilinganiso esingu-A+, kodwa uma ufuna ukuthuthukisa ukuphepha kweseva yakho, kunenombolo yezinye izinyathelo ongazithatha.
Isibonelo, ungavumela ukubethela okuphoqelelwe kokuxhumanisa kwezinqubo, futhi ungavumela ukubethela okuphoqelelwe lapho uxhuma kumasevisi e-Zimbra OSE. Ukuze uhlole ukuxhumana kwe-interprocess, faka imiyalo elandelayo:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueUkuze unike amandla ukubethela okuphoqelelwe udinga ukufaka:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUENgenxa yale miyalo, konke ukuxhumana eziphakelini ezibamba iqhaza neziphakeli zemeyili kuzobethelwa, futhi konke lokhu kuxhumana kuzokwenziwa ummeleli.
Ngakho-ke, ngokulandela izincomo zethu, awukwazi ukuzuza amaphuzu aphezulu kuphela ekuhlolweni kokuphepha kokuxhumeka kwe-SSL, kodwa futhi wandise kakhulu ukuphepha kwayo yonke ingqalasizinda ye-Zimbra OSE.
Kuyo yonke imibuzo ehlobene ne-Zextras Suite, ungathinta Ummeleli we-Zextras Ekaterina Triandafilidi nge-imeyili [i-imeyili ivikelwe]
Source: www.habr.com