Difference between revisions of "How to obtain an A+ in the Qualys SSL Labs Security Test"

m (Strict Transport Security (HSTS) & Session resumption (caching))
 
(12 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
__FORCETOC__
 
__FORCETOC__
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
=Touch Client Feature for Zimbra Collaboration 8.5+=
+
= How to obtain an A+ in the Qualys SSL Labs security test =
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
+
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.0}}|}}
{{WIP}}
 
  
=How to obtain an A+ in the Qualys SSL Labs security test=
+
== Purpose ==
==Purpose==
 
 
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
 
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
  
==Resolution==
+
== Resolution ==
Until have an option in the Admin Console, all of this Wiki is using the CLI. '''Please note''' that obtain the best result in the SSL Labs test doesn't need to fits with your environment if you are still running old equipment like Windows XP, etc. Tune your environment according to your needs.
+
This wiki requires using the CLI as some options are not available via the Admin Console. '''Please note''': obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.).  Tune your environment according to your needs.
  
===Zimbra Collaboration 8.7===
+
=== [[Security/Collab/87|Zimbra Collaboration 8.7.x]] & 8.8===
=====Fix the Logjam issue=====
+
ZCS 8.7.x/8.8 defaults to using a 2048-bit DH parameter ([https://bugzilla.zimbra.com/show_bug.cgi?id=99558 bug 99558]) which come from [http://tools.ietf.org/html/rfc3526#page-3 RFC3526 IKE 2048-bit PEM (group 14)] for anything in ZCS that utilizes OpenSSL.
Zimbra 8.7 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
 
  
Like '''root''', create a new 2048 key, will take some minutes:
+
==== Custom or Stronger DH Parameters ====
  cd /opt/zimbra/conf
+
In 8.7.x you can generate new/custom DH parameters using a new utility '''zmdhparam''' which calls openssl dhparam.
openssl dhparam -out dhparams.pem 2048
+
zmdhparam set -new 2048
chown zimbra:zimbra dhparams.pem
+
or more secure but it takes more time to generate:
 +
  zmdhparam set -new 3072
  
Then like zimbra user, add this file to the environment:
+
==== Tune the Cipher list ====
zmprov mcf zimbraReverseProxySSLDHParam "/opt/zimbra/conf/dhparams.pem"
+
As '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
 
=====Tune the Cipher list=====
 
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
 
 
  zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
  zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  
Restart the proxy
+
Restart the proxy:
 
  zmproxyctl restart
 
  zmproxyctl restart
  
====Strict Transport Security (HSTS) & Session resumption (caching)====
+
==== Strict Transport Security (HSTS) & Session resumption (caching) ====
Run the next command to add the proper header to the configuration:
+
Run the next command to add the proper headers to the configuration:
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmprov mcf +zimbraResponseHeader "ssl_session_cache shared:SSL:50m;"
 
zmprov mcf +zimbraResponseHeader "ssl_session_timeout 5m;
 
  
 
Restart the zimbra services
 
Restart the zimbra services
 
  zmcontrol restart
 
  zmcontrol restart
  
=====The result=====
+
If you want to disable some remaining weak ciphers, please take a look to the [[How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test#Disable_weak_Ciphers|next step as well]].
 +
 
 +
==== The result ====
 
The result in the SSL Labs test will be:
 
The result in the SSL Labs test will be:
  
 
[[File:Ssllabs-zimbra-8.7-proxy.png|800px]]
 
[[File:Ssllabs-zimbra-8.7-proxy.png|800px]]
  
===Zimbra Collaboration 8.6 & 8.5===
+
=== [[Security/Collab/86|Zimbra Collaboration 8.6]] & 8.5 ===
====Using Proxy====
+
==== Using Proxy ====
=====Fix the Logjam issue=====
+
===== Fix the Logjam issue =====
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
+
ZCS 8.6 has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.
  
Like '''root''', create a new 2048 key, will take some minutes:
+
As '''zimbra''', create a new 2048 key (it make take several minutes):
  cd /opt/zimbra/conf
+
  openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
openssl dhparam -out dhparams.pem 2048
 
chown zimbra:zimbra dhparams.pem
 
  
Edit the next 2 files:
+
Edit the following two files:
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
  
You need to add the next content, ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';, before the include, will looks like:
+
Add a '''ssl_dhparam''' entry before the '''include''' so that you end up with something like the following:
 
  ssl_verify_client      ${ssl.clientcertmode.default};
 
  ssl_verify_client      ${ssl.clientcertmode.default};
 
  ssl_verify_depth        ${ssl.clientcertdepth.default};
 
  ssl_verify_depth        ${ssl.clientcertdepth.default};
  ssl_dhparam /opt/zimbra/conf/dhparams.pem;
+
  ssl_dhparam /opt/zimbra/conf/dhparam.pem;
 
  include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
  include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
  
=====Tune the Cipher list=====
+
===== Tune the Cipher list =====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
+
As '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
  zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
  zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
  
Line 73: Line 66:
 
  zmproxyctl restart
 
  zmproxyctl restart
  
=====Strict Transport Security (HSTS)=====
+
===== Strict Transport Security (HSTS) =====
Like '''root''' user, edit the next file '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template''' and add in the section '''server {''' the next content :
+
As '''zimbra''', edit these files:
  add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
+
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 +
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 +
 
 +
and add the following in the '''server { ... }''' section:
 +
  add_header Strict-Transport-Security "max-age=31536000";
  
=====Session resumption (caching)=====
+
===== Session resumption (caching) =====
Like '''root''' user, add the next content after the '''add_header''' that you added in the previous step:
+
As '''zimbra''', add the following content after the '''add_header''' that you added in the previous step:
 
  ssl_session_cache shared:SSL:50m;
 
  ssl_session_cache shared:SSL:50m;
 
  ssl_session_timeout 5m;
 
  ssl_session_timeout 5m;
  
Then restart the proxy like '''zimbra''' user:
+
As '''zimbra''', restart the proxy:
 
  zmproxyctl restart
 
  zmproxyctl restart
  
=====The result=====
+
===== The result =====
 
The result in the SSL Labs test will be:
 
The result in the SSL Labs test will be:
  
 
[[File:Zimbra86-aplus-001.png|800px]]
 
[[File:Zimbra86-aplus-001.png|800px]]
  
====Without Proxy====
+
==== Without Proxy ====
Thank you to Alex that wrote [http://blog.theatticnetwork.net/2014/11/qualys-a-rating-with-zimbra/ '''this steps'''] months ago.
+
Thank you to Alex that wrote [http://blog.theatticnetwork.net/2014/11/qualys-a-rating-with-zimbra/ '''these steps'''] months ago.
=====Fix the Logjam issue=====
+
 
 +
===== Fix the Logjam issue =====
 
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. Also you can disable the next Cipher plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles:
 
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. Also you can disable the next Cipher plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles:
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
Line 98: Line 96:
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  
=====Tune the Cipher list=====
+
===== Tune the Cipher list =====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
+
As user '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
Line 123: Line 121:
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
=====Strict Transport Security (HSTS)=====
+
===== Strict Transport Security (HSTS) =====
Like zimbra user edit the next file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
+
As '''zimbra''' edit the file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
<pre>       <Call name="addRule">
+
<pre>
 +
        <Call name="addRule">
 
         <Arg>
 
         <Arg>
 
         <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
 
         <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
Line 133: Line 132:
 
         </Arg>
 
         </Arg>
 
         </Call></pre>
 
         </Call></pre>
Write just above the next:
+
Add the following just before that entry:
<pre>       <Call name="addRule">
+
<pre>
 +
        <Call name="addRule">
 
           <Arg>
 
           <Arg>
 
               <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
 
               <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
Line 144: Line 144:
 
         </Call>
 
         </Call>
 
</pre>
 
</pre>
 +
 
Restart the mailbox service
 
Restart the mailbox service
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
=====The result=====
+
===== The result =====
 
The result if you followed all the previous steps in the SSL Labs test will be:
 
The result if you followed all the previous steps in the SSL Labs test will be:
  
 
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]]
 
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]]
  
If you din't applied the Logjam steps, you will obtain a B.
+
If the Logjam steps were not performed, you will obtain a B.
  
===Zimbra Collaboration 8.0.9===
+
=== Zimbra Collaboration 8.0.9 ===
====Generate a SSL Certificate with SHA256====
+
==== Generate a SSL Certificate with SHA256 ====
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
+
By default, ZCS 8.0.x generated CSRs with SHA1 instead of the now preferred SHA256 hash.  Edit /opt/zimbra/bin/zmcertmgr as root to change the default.
  /opt/zimbra/bin/zmcertmgr
 
  
And change this line:
+
Change this line:
 
  ${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
  ${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
  
For the next one, adding the -sha256 to the OpenSSL command:
+
To the following (adding the -sha256 to the openssl command):
 
  ${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
  ${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
  
Then you can generate the new CSR, this time with a SHA256, [https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools '''follow the next Wiki'''].
+
Use the [[Administration Console and CLI Certificate Tools]] to generate the new CSR (now with a SHA256 hash).
  
====Disable SSLv3 to fix the Poodle====
+
==== Disable SSLv3 to fix POODLE  ====
Follow [http://wiki.zimbra.com/wiki/How_to_disable_SSLv3 '''the next Wiki to disable SSLv3'''] in your Zimbra Collaboration 8.0.x environment.
+
Follow [[How to disable SSLv3]] to disable SSLv3 in your ZCS 8.0.x environment.
  
====Disable Client-Initiated SSL renegotiation====
+
==== Disable Client-Initiated SSL renegotiation ====
You need to edit the Jetty template and search by org.eclipse.jetty.server.ssl.SslSelectChannelConnector, then before the Set name dedicated to port add allowRenegotiate False, like this:
+
Edit the Jetty template and search by org.eclipse.jetty.server.ssl.SslSelectChannelConnector.  Before the '''Set name="Port"''' line, add a '''allowRenegotiate False''' as follows:
  
<pre>vi /opt/zimbra/jetty/etc/jetty.xml.in
+
<pre>
    ...
 
 
             <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
 
             <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
 
               <Set name="allowRenegotiate">FALSE</Set>
 
               <Set name="allowRenegotiate">FALSE</Set>
Line 183: Line 182:
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
====Strict Transport Security (HSTS)====
+
==== Strict Transport Security (HSTS) ====
Run the next command to add the proper header to the configuration:
+
Add the proper header to the configuration:
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
  
Line 190: Line 189:
 
  zmcontrol restart
 
  zmcontrol restart
  
====Using Proxy====
+
==== Using Proxy ====
 
The first step you need to check if you are using the proxy (nginx) or just mailboxd (jetty):
 
The first step you need to check if you are using the proxy (nginx) or just mailboxd (jetty):
  
1. Verify if nginx is listening on port 443:
+
1. Verify if nginx is listening on port 443, in this case you can see that is jetty and not nignx:
 
  lsof -i :443
 
  lsof -i :443
 
  COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
 
  COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
 
  java    6637 zimbra  96u  IPv4 198165      0t0  TCP *:https (LISTEN)
 
  java    6637 zimbra  96u  IPv4 198165      0t0  TCP *:https (LISTEN)
  
2. Enable nginx for https proxy, as '''zimbra''' user:
+
2. Enable nginx for https, for POP3 and IMAP reverseproxy, as '''zimbra''' user:
 
  ./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
 
  ./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
 +
./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`
  
 
3. Sanity check #1
 
3. Sanity check #1
 
  zmprov gs `zmhostname` zimbraMailReferMode
 
  zmprov gs `zmhostname` zimbraMailReferMode
  # name zimbra86.zimbra.io
+
  # name zimbra8.zimbra.io
 
  zimbraMailReferMode: reverse-proxied
 
  zimbraMailReferMode: reverse-proxied
  
Line 216: Line 216:
 
Now you have nginx properly enabled.
 
Now you have nginx properly enabled.
  
=====Fix the Logjam issue=====
+
===== Fix the Logjam issue =====
Zimbra 8.6 uses, by default, 1024 bit DH parameters. However, the current best practice is use at least 2048 bits, and the Qualys SSL Labs test will give us the A+ by doing so.
+
Zimbra 8.0.x has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.
  
As '''root''', create a new set of 2048 bit parameters. Note, this will take a few minutes:
+
As '''zimbra''', create a new 2048 key (it make take several minutes):
  cd /opt/zimbra/conf
+
  openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
openssl dhparam -out dhparams.pem 2048
 
chown zimbra:zimbra dhparams.pem
 
  
 
Edit the following two files:
 
Edit the following two files:
Line 228: Line 226:
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
  /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
  
You need to add the following content, "ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';", before the include. It will look like:
+
Add a '''ssl_dhparam''' entry before the '''include''' so that you end up with something like the following:
 
  ssl_verify_client      ${ssl.clientcertmode.default};
 
  ssl_verify_client      ${ssl.clientcertmode.default};
 
  ssl_verify_depth        ${ssl.clientcertdepth.default};
 
  ssl_verify_depth        ${ssl.clientcertdepth.default};
  ssl_dhparam /opt/zimbra/conf/dhparams.pem;
+
  ssl_dhparam /opt/zimbra/conf/dhparam.pem;
 
  include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
  include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
  
=====Disable weak Ciphers=====
+
===== Disable weak Ciphers =====
 
Disable weak Ciphers, thank you to [[ShanxT-Removing-Insecure-SSL-Ciphers|ShanxT]]. Please note, by eliminating these ciphers, some older clients may stop working:
 
Disable weak Ciphers, thank you to [[ShanxT-Removing-Insecure-SSL-Ciphers|ShanxT]]. Please note, by eliminating these ciphers, some older clients may stop working:
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
Line 264: Line 262:
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256</pre>
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256</pre>
  
=====Tune the Cipher list=====
+
===== Tune the Cipher list =====
You will want to disable the RC4, run the nex command:
+
Disable RC4 ciphers with the following command:
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
 
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
Line 275: Line 273:
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
=====The result=====
+
===== The result =====
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 Proxy, in the SSL Labs test will be an A+ if you followed all the steps.
+
The result using a valid SSL commercial certificate, and ZCS 8.0.9 Proxy, in the SSL Labs test will be an A+ if you followed all the steps.
  
 
[[File:Ssllabs-zimbra-8.0.9-proxyaplus.png|800px]]
 
[[File:Ssllabs-zimbra-8.0.9-proxyaplus.png|800px]]
  
====Without Proxy====
+
==== Without Proxy ====
=====Fix the Logjam issue=====
+
===== Fix the Logjam issue =====
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.0.9, you need to upgrade to Zimbra Collaboration 8.6. But you can disable the next Ciphers, plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles in old computers/clients:
+
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.0.9, you need to upgrade to Zimbra Collaboration 8.6. But you can disable the following Ciphers, plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles in old computers/clients:
  zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
+
  zmprov mcf +zimbraSSLExcludeCipherSuites \
 
  +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 
  +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 
  +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
 
  +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
Line 306: Line 304:
 
  +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 
  +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
  
=====Tune the Cipher list=====
+
===== Tune the Cipher list =====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
+
As '''zimbra''', run the following command to disable RC4 ciphers:
 
  zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
 
  zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
+
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
+
  +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
  
 
Restart the mailbox service
 
Restart the mailbox service
 
  zmmailboxdctl restart
 
  zmmailboxdctl restart
  
=====The result=====
+
===== The result =====
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 without Proxy, in the SSL Labs test will be an A if you followed all the steps, if you want to obtain the A+, please upgrade to Zimbra Collaboration 8.6 with Proxy:  
+
The result, using a valid SSL commercial certificate and Zimbra Collaboration Single-Server 8.0.9 without Proxy, in the SSL Labs test will be an A if you followed all the steps. If you want to obtain the A+, please upgrade to Zimbra Collaboration 8.6 with Proxy:  
  
 
[[File:Ssllabs-zimbra-8.0.9-noproxy.png|800px]]
 
[[File:Ssllabs-zimbra-8.0.9-noproxy.png|800px]]
  
==Additional Content==
+
== Additional Content ==
 
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
 
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
 
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 
  
 
{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
 
{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
{{NeedSME|SME1|SME2|Copyeditor}}
+
{{NeedSME|Jorge|Phil|Gayle B.}}

Latest revision as of 23:28, 23 June 2017

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2017-06-23  




0.00
(0 votes)

Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

This wiki requires using the CLI as some options are not available via the Admin Console. Please note: obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.). Tune your environment according to your needs.

Zimbra Collaboration 8.7.x & 8.8

ZCS 8.7.x/8.8 defaults to using a 2048-bit DH parameter (bug 99558) which come from RFC3526 IKE 2048-bit PEM (group 14) for anything in ZCS that utilizes OpenSSL.

Custom or Stronger DH Parameters

In 8.7.x you can generate new/custom DH parameters using a new utility zmdhparam which calls openssl dhparam.

zmdhparam set -new 2048

or more secure but it takes more time to generate:

zmdhparam set -new 3072

Tune the Cipher list

As zimbra, run the next command to tune the Ciphers and disable the RC4, etc:

zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

Restart the proxy:

zmproxyctl restart

Strict Transport Security (HSTS) & Session resumption (caching)

Run the next command to add the proper headers to the configuration:

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Restart the zimbra services

zmcontrol restart

If you want to disable some remaining weak ciphers, please take a look to the next step as well.

The result

The result in the SSL Labs test will be:

Ssllabs-zimbra-8.7-proxy.png

Zimbra Collaboration 8.6 & 8.5

Using Proxy

Fix the Logjam issue

ZCS 8.6 has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.

As zimbra, create a new 2048 key (it make take several minutes):

openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048

Edit the following two files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

Add a ssl_dhparam entry before the include so that you end up with something like the following:

ssl_verify_client       ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
include                 ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
Tune the Cipher list

As zimbra, run the next command to tune the Ciphers and disable the RC4, etc:

zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

Restart the proxy

zmproxyctl restart
Strict Transport Security (HSTS)

As zimbra, edit these files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

and add the following in the server { ... } section:

add_header Strict-Transport-Security "max-age=31536000";
Session resumption (caching)

As zimbra, add the following content after the add_header that you added in the previous step:

ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;

As zimbra, restart the proxy:

zmproxyctl restart
The result

The result in the SSL Labs test will be:

Zimbra86-aplus-001.png

Without Proxy

Thank you to Alex that wrote these steps months ago.

Fix the Logjam issue

At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. Also you can disable the next Cipher plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
Tune the Cipher list

As user zimbra, run the next command to tune the Ciphers and disable the RC4, etc:

zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA

Restart the mailbox service

zmmailboxdctl restart
Strict Transport Security (HSTS)

As zimbra edit the file /opt/zimbra/jetty/etc/jetty.xml.in and search by:

        <Call name="addRule">
        <Arg>
        <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
            <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set>
            <Set name="replacement">/service/extension/zimbrasync</Set>
        </New>
        </Arg>
        </Call>

Add the following just before that entry:

        <Call name="addRule">
           <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                 <Set name="pattern">*</Set>
                 <Set name="name">Strict-Transport-Security</Set>
                 <Set name="value">max-age=15768000; includeSubDomains</Set>
              </New>
           </Arg>
        </Call>

Restart the mailbox service

zmmailboxdctl restart
The result

The result if you followed all the previous steps in the SSL Labs test will be:

Ssllabs-zimbra-8.6.0-noproxy.png

If the Logjam steps were not performed, you will obtain a B.

Zimbra Collaboration 8.0.9

Generate a SSL Certificate with SHA256

By default, ZCS 8.0.x generated CSRs with SHA1 instead of the now preferred SHA256 hash. Edit /opt/zimbra/bin/zmcertmgr as root to change the default.

Change this line:

${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \

To the following (adding the -sha256 to the openssl command):

${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \

Use the Administration Console and CLI Certificate Tools to generate the new CSR (now with a SHA256 hash).

Disable SSLv3 to fix POODLE

Follow How to disable SSLv3 to disable SSLv3 in your ZCS 8.0.x environment.

Disable Client-Initiated SSL renegotiation

Edit the Jetty template and search by org.eclipse.jetty.server.ssl.SslSelectChannelConnector. Before the Set name="Port" line, add a allowRenegotiate False as follows:

            <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
              <Set name="allowRenegotiate">FALSE</Set>
              <Set name="Port">%%zimbraMailSSLPort%%</Set>

Restart the mailbox service

zmmailboxdctl restart

Strict Transport Security (HSTS)

Add the proper header to the configuration:

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"

Restart the zimbra services

zmcontrol restart

Using Proxy

The first step you need to check if you are using the proxy (nginx) or just mailboxd (jetty):

1. Verify if nginx is listening on port 443, in this case you can see that is jetty and not nignx:

lsof -i :443
COMMAND  PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
java    6637 zimbra   96u  IPv4 198165      0t0  TCP *:https (LISTEN)

2. Enable nginx for https, for POP3 and IMAP reverseproxy, as zimbra user:

./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`

3. Sanity check #1

zmprov gs `zmhostname` zimbraMailReferMode
# name zimbra8.zimbra.io
zimbraMailReferMode: reverse-proxied

4. Sanity check #2

lsof -i :443
COMMAND   PID   USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
nginx   31418 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31419 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31420 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx   31421 zimbra   10u  IPv4 314934      0t0  TCP *:https (LISTEN)

Now you have nginx properly enabled.

Fix the Logjam issue

Zimbra 8.0.x has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.

As zimbra, create a new 2048 key (it make take several minutes):

openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048

Edit the following two files:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template

Add a ssl_dhparam entry before the include so that you end up with something like the following:

ssl_verify_client       ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
include                 ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
Disable weak Ciphers

Disable weak Ciphers, thank you to ShanxT. Please note, by eliminating these ciphers, some older clients may stop working:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
 +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
Tune the Cipher list

Disable RC4 ciphers with the following command:

zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA

Restart the mailbox service

zmmailboxdctl restart
The result

The result using a valid SSL commercial certificate, and ZCS 8.0.9 Proxy, in the SSL Labs test will be an A+ if you followed all the steps.

Ssllabs-zimbra-8.0.9-proxyaplus.png

Without Proxy

Fix the Logjam issue

At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.0.9, you need to upgrade to Zimbra Collaboration 8.6. But you can disable the following Ciphers, plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles in old computers/clients:

zmprov mcf +zimbraSSLExcludeCipherSuites \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
Tune the Cipher list

As zimbra, run the following command to disable RC4 ciphers:

zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
  +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA

Restart the mailbox service

zmmailboxdctl restart
The result

The result, using a valid SSL commercial certificate and Zimbra Collaboration Single-Server 8.0.9 without Proxy, in the SSL Labs test will be an A if you followed all the steps. If you want to obtain the A+, please upgrade to Zimbra Collaboration 8.6 with Proxy:

Ssllabs-zimbra-8.0.9-noproxy.png

Additional Content

Verified Against: Zimbra Collaboration 8.7, 8.6, 8.5, 8.0 Date Created: 06/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test Date Modified: 2017-06-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by Jorge Phil Gayle B. Last edit by Jorge de la Cruz
Jump to: navigation, search