If you installed or upgraded to Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 or higher, Zimbra will use OpenSSL 3.0.x and FIPS compliance for OpenSSL will be enabled by default.
To check if your Zimbra OpenSSL is using FIPS you can run the following command, that should fail with Error setting digest:
/opt/zimbra/common/bin/openssl md5 /dev/null
There are 2 main benefits for running OpenSSL in FIPS mode:
- You can not accidentally use weak ciphers see https://wiki.zimbra.com/wiki/Cipher_suites
- There will be less security issues in OpenSSL
- Easier to maintain as there is no more need to define cipher suites in most config files
For point 2, you can see the security notifications of OpenSSL on this page: https://www.openssl.org/news/vulnerabilities-3.0.html and compare them to the ones that are affecting FIPS: https://www.openssl.org/news/fips-cve.html as you can see most security issues are not affecting OpenSSL FIPS.
The drawback of using Zimbra OpenSSL in FIPS mode is that you can no longer use out-of-date protocols and ciphers such as TLS 1.0 and this will break connectivity to out-of-date devices running for example Windows XP and Android 4.
Zimbra highly recommends running Zimbra OpenSSL in FIPS mode. For more information see: https://wiki.zimbra.com/wiki/FIPS
No comments yet.