Difference between revisions of "How to obtain an A+ in the Qualys SSL Labs Security Test"

(Created page with "{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}||{{ZCS 8.6}}|{{ZCS 8.0}}}} =How to obtain an A+ in the Qualys SSL Labs security test= ==Purpose== List the steps, per release, t...")
 
Line 1: Line 1:
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}||{{ZCS 8.6}}|{{ZCS 8.0}}}}
+
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.0}}}}
 
=How to obtain an A+ in the Qualys SSL Labs security test=
 
=How to obtain an A+ in the Qualys SSL Labs security test=
 
==Purpose==
 
==Purpose==
Line 54: Line 54:
  
 
===Zimbra Collaboration 8.0.9===
 
===Zimbra Collaboration 8.0.9===
Work in progress
+
====Generate a SSL Certiricate with SHA256====
 +
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
 +
/opt/zimbra/bin/zmcertmgr
 +
 
 +
And change this line:
 +
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 +
 
 +
For the next one, adding the -sha256 to the OpenSSL command:
 +
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 +
 
 +
Then you can generate the new CSR, this time with a SHA256, [https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools '''follow the next Wiki'''].
 +
 
 +
====Fix the Logjam issue====
 +
Zimbra Collaboration 8.0.9 can't fix the issue because the DH Cipher keysize is hardcoded in Java 1.7. But like recommendation, you can put a Zimbra Collaboration 8.6 proxy node in front of your environment if you have Single-Server, or if you have Multi-Server you can upgrade, only, your Proxy node to 8.6.
 +
 
 +
====Tune the Cipher list====
 +
You will want to disable the RC4, run the nex command:
 +
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5
 +
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA
 +
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
 +
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
 +
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
 +
zmcontrol restart
 +
 
 +
====Disable SSLv3 to fix the Poodle====
 +
Follow [http://wiki.zimbra.com/wiki/How_to_disable_SSLv3 '''the next Wiki to disable SSLv3'''] in your Zimbra Collaboration 8.0.x environment.
 +
 
 +
====The result====
 +
The result using a valid SSL commercial certificate, and Zimbra Collaboration 8.0.9 Proxy, in the SSL Labs test will be an F, so you need to think to use a Proxy based in 8.6 if you want to keep your environment secure:
 +
 
 +
[[File:Ssllabs-zimbra-8.0.9-002.png|800px]]
  
 
==Additional Content==
 
==Additional Content==
 
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
 
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
 +
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
  
  
 
{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
 
{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
 
{{NeedSME|SME1|SME2|Copyeditor}}
 
{{NeedSME|SME1|SME2|Copyeditor}}

Revision as of 22:50, 22 June 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

ZCS 8.7 Article ZCS 8.7ZCS 8.6 Article ZCS 8.6ZCS 8.0 Article ZCS 8.0


How to obtain an A+ in the Qualys SSL Labs security test

Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

Until have an option in the Admin Console, all of this Wiki is using the CLI.

Zimbra Collaboration 8.7

Work in progress

Zimbra Collaboration 8.6 & 8.5

Fix the Logjam issue

Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.

Like root, create a new 2048 key, will take some minutes:

cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem

Edit the next 2 files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

You need to add the next content, ssl_dhparam /opt/zimbra/conf/dhparams.pem;, before the include, will looks like:

ssl_verify_client       ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include                 ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};

Tune the Cipher list

Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:

zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

Restart the proxy

zmproxyctl restart

Strict Transport Security (HSTS)

Like roor user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add in the section server { the next content :

add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";

Session resumption (caching)

Like roor user, add the next content after the add_header that you added in the previous step:

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

Then restart the proxy like zimbra user:

zmproxyctl restart

The result

The result in the SSL Labs test will be:

Zimbra86-aplus-001.png

Zimbra Collaboration 8.0.9

Generate a SSL Certiricate with SHA256

Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:

/opt/zimbra/bin/zmcertmgr

And change this line:

${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \

For the next one, adding the -sha256 to the OpenSSL command:

${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \

Then you can generate the new CSR, this time with a SHA256, follow the next Wiki.

Fix the Logjam issue

Zimbra Collaboration 8.0.9 can't fix the issue because the DH Cipher keysize is hardcoded in Java 1.7. But like recommendation, you can put a Zimbra Collaboration 8.6 proxy node in front of your environment if you have Single-Server, or if you have Multi-Server you can upgrade, only, your Proxy node to 8.6.

Tune the Cipher list

You will want to disable the RC4, run the nex command:

zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
zmcontrol restart

Disable SSLv3 to fix the Poodle

Follow the next Wiki to disable SSLv3 in your Zimbra Collaboration 8.0.x environment.

The result

The result using a valid SSL commercial certificate, and Zimbra Collaboration 8.0.9 Proxy, in the SSL Labs test will be an F, so you need to think to use a Proxy based in 8.6 if you want to keep your environment secure:

Ssllabs-zimbra-8.0.9-002.png

Additional Content


Verified Against: Zimbra Collaboration 8.7, 8.6, 8.5, 8.0 Date Created: 06/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test Date Modified: 2015-06-22



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 Copyeditor Last edit by Jorge de la Cruz
Jump to: navigation, search