SOLVED: Z-Push Zimbra Backend, change from SSLv3 (Poodle) to TLS?

[johnroberts]

Hi All,

Due to the recent security problem found in SSLv3, otherwise known as Poodle, we want to disable this on our Zimbra servers to force use of TLS instead.

Unfortunately when we did that our Z-Push connections went down as Z-Push Zimbra Backend is using SSLv3 to communicate with the Zimbra server.

Does anyone know if it is possible to modify the configuration of Z-Push Zimbra Backend to use TLS instead of the now untrusted SSLv3? I've tried to have a look at this but don't know if its simply a case or defining 'CURLOPT_SSL_CIPHER_LIST = TLSv1' and removing 'CURLOPT_SSLVERSION = 3'.

Thanks for any replies.

[johnroberts]

According to here:

[View:http://stackoverflow.com/questions/26378351/error1408f10bssl-routinesssl3-get-recordwrong-version-number-paypal-maybe:0:0]

setting

curl_setopt($this->_curl, CURLOPT_SSLVERSION, 3 )

to 1, ie.

curl_setopt($this->_curl, CURLOPT_SSLVERSION, 1 )

should change to use TLS...

Unfortunately I don't have any means of trying it without setting up another Zimbra machine as a test bed.

Has anyone else had a go at this?

[johnroberts]

We finally got this working.

PHP, used by Z-PUSH and Zimbra backend will support TLS automatically from we can see. The issue is that in Zimbra backend (zimbra.php) is forcing it to use SSLv3 by the line:
curl_setopt($this->_curl, CURLOPT_SSLVERSION, 3 );

According to the comments, this was added to version 59 to avoid some errors on Ubuntu. I’m not too sure what this refers to, as we have always used Ubuntu and never noticed any problems.

Anyway with this line removed it should let PHP SOAP requests negotiate its own encryption and therefore use TLS and not the forced SSLv3.

Summary:

1. Remove SSLVERSION line from zimbra.php in ‘z-push-2/backend/zimbra’.
2. Follow Wiki on disabling SSLv3 in Zimbra here https://wiki.zimbra.com/wiki/How_to_disable_SSLv3
3. Stop web server on z-push server(s).
4. Restart Zimbra completely.
5. Restart web server on z-push server(s).

Cheers

[liverpoolfcfan]

Thanks for the follow-up to your own post.



I will remove this line from Release 61

[avea2003]

Make all what you write, but have only

After update SSLv3 POODLE in my Zimbra 8.5 GA 3050 Ubuntu 12.04 and Install release 61 I have next error:

20/10/2014 15:41:05 [ 2404] [ERROR] [user] Zimbra->SoapRequest(): ERROR: curl_exec - (35) Unknown SSL protocol error in connection to mail.server.com:443

20/10/2014 15:41:05 [ 2404] [ERROR] [user] Zimbra->Logon(): END LoLogon { connected = false }

And no have connection, error in user or pass.

What I make wrong

[johnroberts]

We had problems like the above and I think it was linked to the fact that the Z-push servers had not been stopped prior to SSLv3 being blocked, Zimbra restarted, then Z-Push servers restarted.

I'm not an expert on this but I think the Z-Push connections stay active. If they are not stopped prior to Zimbra having SSLv3 disabled and then being restarted, the currently active connections will carry on trying to use SSLv3.

Please follow this, the order is important:

1. Remove SSLVERSION line from zimbra.php in ‘z-push-2/backend/zimbra’.
2. Follow Wiki on disabling SSLv3 in Zimbra here https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 (don't restart anything at this stage)
3. Stop web server on z-push server(s).
4. Restart Zimbra completely.
5. Restart web server on z-push server(s).

I hope this helps.

[liverpoolfcfan]

Release 61 of the Z-Push Zimbra Backend is now available on SourceForge (https://sourceforge.net/projects/zimbrabackend/). It has removed the setting of CURLOPT_SSLVERSION among other changes. Thanks for reporting the issue/solution.