How to obtain an A+ in the Qualys SSL Labs Security Test: Difference between revisions

(Replaced content with "__FORCETOC__ <div class="col-md-12 ibox-content"> = How to obtain an A+ in the Qualys SSL Labs security test = {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} {{WIP}} == Purpose == List...")
 
(37 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.0}}}}
__FORCETOC__
=How to obtain an A+ in the Qualys SSL Labs security test=
<div class="col-md-12 ibox-content">
==Purpose==
= How to obtain an A+ in the Qualys SSL Labs security test =
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
{{WIP}}
 
== Purpose ==
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.


==Resolution==
== Resolution ==
Until have an option in the Admin Console, all of this Wiki is using the CLI.
 
===Zimbra Collaboration 8.7===
Work in progress
 
===Zimbra Collaboration 8.6 & 8.5===
====Using Proxy====
=====Fix the Logjam issue=====
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
 
Like '''root''', create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
 
Edit the next 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
You need to add the next content, ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';, before the include, will looks like:
ssl_verify_client      ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
Restart the proxy
zmproxyctl restart
 
=====Strict Transport Security (HSTS)=====
Like '''roor''' user, edit the next file '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template''' and add in the section '''server {''' the next content :
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 
=====Session resumption (caching)=====
Like '''roor''' user, add the next content after the '''add_header''' that you added in the previous step:
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
 
Then restart the proxy like '''zimbra''' user:
zmproxyctl restart
 
=====The result=====
The result in the SSL Labs test will be:
 
[[File:Zimbra86-aplus-001.png|800px]]
 
====Without Proxy====
Thank you to Alex that wrote [http://blog.theatticnetwork.net/2014/11/qualys-a-rating-with-zimbra/ this steps] months ago.
=====Fix the Logjam issue=====
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role.
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc, sometimes if you copy/paste all this list you will need to reintroduce the one that fails:
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA</pre>
 
Restart the mailbox service
zmmailboxdctl restart
 
=====Strict Transport Security (HSTS)=====
Like zimbra user edit the next file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
<pre>        <Call name="addRule">
        <Arg>
        <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
            <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set>
            <Set name="replacement">/service/extension/zimbrasync</Set>
        </New>
        </Arg>
        </Call></pre>
Write just above the next:
<pre>        <Call name="addRule">
          <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                <Set name="pattern">*</Set>
                <Set name="name">Strict-Transport-Security</Set>
                <Set name="value">max-age=15768000; includeSubDomains</Set>
              </New>
          </Arg>
        </Call>
</pre>
Restart the mailbox service
zmmailboxdctl restart
 
=====The result=====
The result in the SSL Labs test will be:
 
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]]
 
===Zimbra Collaboration 8.0.9===
====Generate a SSL Certiricate with SHA256====
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
/opt/zimbra/bin/zmcertmgr
 
And change this line:
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
For the next one, adding the -sha256 to the OpenSSL command:
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
Then you can generate the new CSR, this time with a SHA256, [https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools '''follow the next Wiki'''].
 
====Fix the Logjam issue====
Zimbra Collaboration 8.0.9 can't fix the issue because the DH Cipher keysize is hardcoded in Java 1.7. You need to upgrade to Zimbra Collaboration 8.6.
 
====Tune the Cipher list====
You will want to disable the RC4, run the nex command:
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
zmcontrol restart
 
====Disable SSLv3 to fix the Poodle====
Follow [http://wiki.zimbra.com/wiki/How_to_disable_SSLv3 '''the next Wiki to disable SSLv3'''] in your Zimbra Collaboration 8.0.x environment.
 
====The result====
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 Proxy, in the SSL Labs test will be an F, so you need to upgrade to Zimbra Collaboration 8.6 if you want to keep your environment secure:
 
[[File:Ssllabs-zimbra-8.0.9-002.png|800px]]
 
==Additional Content==
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 


{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
https://wiki.zimbra.com/wiki/Cipher_suites
{{NeedSME|SME1|SME2|Copyeditor}}

Latest revision as of 06:50, 4 January 2022

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2022-01-4  




0.00
(0 votes)


Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search