|
|
(46 intermediate revisions by 3 users not shown) |
Line 1: |
Line 1: |
| {{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}||{{ZCS 8.6}}|{{ZCS 8.0}}}} | | __FORCETOC__ |
| =How to obtain an A+ in the Qualys SSL Labs security test=
| | <div class="col-md-12 ibox-content"> |
| ==Purpose== | | = How to obtain an A+ in the Qualys SSL Labs security test = |
| | {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} |
| | {{WIP}} |
| | |
| | == Purpose == |
| List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test. | | List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test. |
|
| |
|
| ==Resolution== | | == Resolution == |
| Until have an option in the Admin Console, all of this Wiki is using the CLI.
| |
| | |
| ===Zimbra Collaboration 8.7===
| |
| Work in progress
| |
| | |
| ===Zimbra Collaboration 8.6 & 8.5===
| |
| ====Fix the Logjam issue====
| |
| Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
| |
| | |
| Like '''root''', create a new 2048 key, will take some minutes:
| |
| cd /opt/zimbra/conf
| |
| openssl dhparam -out dhparams.pem 2048
| |
| chown zimbra:zimbra dhparams.pem
| |
| | |
| Edit the next 2 files:
| |
| /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
| |
| /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
| |
| | |
| You need to add the next content, ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';, before the include, will looks like:
| |
| ssl_verify_client ${ssl.clientcertmode.default};
| |
| ssl_verify_depth ${ssl.clientcertdepth.default};
| |
| ssl_dhparam /opt/zimbra/conf/dhparams.pem;
| |
| include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
| |
| | |
| ====Tune the Cipher list====
| |
| Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
| |
| zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
| |
| | |
| Restart the proxy
| |
| zmproxyctl restart
| |
| | |
| ====Strict Transport Security (HSTS)====
| |
| Like '''roor''' user, edit the next file '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template''' and add in the section '''server {''' the next content :
| |
| add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
| |
| | |
| ====Session resumption (caching)====
| |
| Like '''roor''' user, add the next content after the '''add_header''' that you added in the previous step:
| |
| ssl_session_cache shared:SSL:50m;
| |
| ssl_session_timeout 5m;
| |
| | |
| Then restart the proxy like '''zimbra''' user:
| |
| zmproxyctl restart
| |
| | |
| ====The result====
| |
| The result in the SSL Labs test will be:
| |
| | |
| [[File:Zimbra86-aplus-001.png|800px]]
| |
| | |
| ===Zimbra Collaboration 8.0.9===
| |
| Work in progress
| |
| | |
| ==Additional Content==
| |
| * Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
| |
| | |
|
| |
|
| {{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
| | https://wiki.zimbra.com/wiki/Cipher_suites |
| {{NeedSME|SME1|SME2|Copyeditor}}
| |