What are the benefits of using Zimbra OpenSSL in FIPS mode?

If you installed or upgraded to Zimbra version 9.0.0.P34, 8.8.15.P41, 10.0.2 or higher, Zimbra will use OpenSSL 3.0.x and FIPS compliance for OpenSSL will be enabled by default.

To check if your Zimbra OpenSSL is using FIPS you can run the following command, that should fail with Error setting digest:

/opt/zimbra/common/bin/openssl md5 /dev/null

There are 2 main benefits for running OpenSSL in FIPS mode:

  1. You can not accidentally use weak ciphers see https://wiki.zimbra.com/wiki/Cipher_suites
  2. There will be less security issues in OpenSSL
  3. Easier to maintain as there is no more need to define cipher suites in most config files

For point 2, you can see the security notifications of OpenSSL on this page: https://www.openssl.org/news/vulnerabilities-3.0.html and compare them to the ones that are affecting FIPS: https://www.openssl.org/news/fips-cve.html as you can see most security issues are not affecting OpenSSL FIPS.

The drawback of using Zimbra OpenSSL in FIPS mode is that you can no longer use out-of-date protocols and ciphers such as TLS 1.0 and this will break connectivity to out-of-date devices running for example Windows XP and Android 4.

Zimbra highly recommends running Zimbra OpenSSL in FIPS mode. For more information see: https://wiki.zimbra.com/wiki/FIPS


, ,

No comments yet.

Leave a Reply

Copyright © 2022 Zimbra, Inc. All rights reserved.

All information contained in this blog is intended for informational purposes only. Synacor, Inc. is not responsible or liable in any manner for the use or misuse of any technical content provided herein. No specific or implied warranty is provided in association with the information or application of the information provided herein, including, but not limited to, use, misuse or distribution of such information by any user. The user assumes any and all risk pertaining to the use or distribution in any form of any subject matter contained in this blog.

Legal Information | Privacy Policy | Do Not Sell My Personal Information | CCPA Disclosures