How to obtain an A+ in the Qualys SSL Labs Security Test: Difference between revisions

(Replaced content with "__FORCETOC__ <div class="col-md-12 ibox-content"> = How to obtain an A+ in the Qualys SSL Labs security test = {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} {{WIP}} == Purpose == List...")
 
(11 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{BC|Certified}}
__FORCETOC__
__FORCETOC__
<div class="col-md-12 ibox-content">
<div class="col-md-12 ibox-content">
=How to obtain an A+ in the Qualys SSL Labs security test=
= How to obtain an A+ in the Qualys SSL Labs security test =
{{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}}
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
{{WIP}}
{{WIP}}
==Purpose==
 
== Purpose ==
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.


==Resolution==
== Resolution ==
Until have an option in the Admin Console, all of this Wiki is using the CLI. '''Please note''' that obtain the best result in the SSL Labs test doesn't need to fits with your environment if you are still running old equipment like Windows XP, etc. Tune your environment according to your needs.
 
===Zimbra Collaboration 8.7===
=====Fix the Logjam issue=====
Zimbra 8.7 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
 
Like '''root''', create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
 
Then like zimbra user, add this file to the environment:
zmprov mcf zimbraReverseProxySSLDHParam "/opt/zimbra/conf/dhparams.pem"
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
Restart the proxy
zmproxyctl restart
 
====Strict Transport Security (HSTS) & Session resumption (caching)====
Run the next command to add the proper header to the configuration:
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
zmprov mcf +zimbraResponseHeader "ssl_session_cache shared:SSL:50m;"
zmprov mcf +zimbraResponseHeader "ssl_session_timeout 5m;
 
Restart the zimbra services
zmcontrol restart
 
=====The result=====
The result in the SSL Labs test will be:
 
[[File:Ssllabs-zimbra-8.7-proxy.png|800px]]
 
===Zimbra Collaboration 8.6 & 8.5===
====Using Proxy====
=====Fix the Logjam issue=====
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
 
Like '''root''', create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
 
Edit the next 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
You need to add the next content, ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';, before the include, will looks like:
ssl_verify_client      ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
Restart the proxy
zmproxyctl restart
 
=====Strict Transport Security (HSTS)=====
Like '''root''' user, edit the next 2 files '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template''' and '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template''', add in the section '''server {''' the next content :
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 
=====Session resumption (caching)=====
Like '''root''' user, add the next content after the '''add_header''' that you added in the previous step:
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
 
Then restart the proxy like '''zimbra''' user:
zmproxyctl restart
 
=====The result=====
The result in the SSL Labs test will be:
 
[[File:Zimbra86-aplus-001.png|800px]]
 
====Without Proxy====
Thank you to Alex that wrote [http://blog.theatticnetwork.net/2014/11/qualys-a-rating-with-zimbra/ '''this steps'''] months ago.
=====Fix the Logjam issue=====
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. Also you can disable the next Cipher plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA</pre>
 
Restart the mailbox service
zmmailboxdctl restart
 
=====Strict Transport Security (HSTS)=====
Like zimbra user edit the next file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
<pre>        <Call name="addRule">
        <Arg>
        <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
            <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set>
            <Set name="replacement">/service/extension/zimbrasync</Set>
        </New>
        </Arg>
        </Call></pre>
Write just above the next:
<pre>        <Call name="addRule">
          <Arg>
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
                <Set name="pattern">*</Set>
                <Set name="name">Strict-Transport-Security</Set>
                <Set name="value">max-age=15768000; includeSubDomains</Set>
              </New>
          </Arg>
        </Call>
</pre>
Restart the mailbox service
zmmailboxdctl restart
 
=====The result=====
The result if you followed all the previous steps in the SSL Labs test will be:
 
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]]
 
If you din't applied the Logjam steps, you will obtain a B.
 
===Zimbra Collaboration 8.0.9===
====Generate a SSL Certificate with SHA256====
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
/opt/zimbra/bin/zmcertmgr
 
And change this line:
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
For the next one, adding the -sha256 to the OpenSSL command:
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
Then you can generate the new CSR, this time with a SHA256, [https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools '''follow the next Wiki'''].
 
====Disable SSLv3 to fix the Poodle====
Follow [http://wiki.zimbra.com/wiki/How_to_disable_SSLv3 '''the next Wiki to disable SSLv3'''] in your Zimbra Collaboration 8.0.x environment.
 
====Disable Client-Initiated SSL renegotiation====
You need to edit the Jetty template and search by org.eclipse.jetty.server.ssl.SslSelectChannelConnector, then before the Set name dedicated to port add allowRenegotiate False, like this:
 
<pre>vi /opt/zimbra/jetty/etc/jetty.xml.in
    ...
            <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
              <Set name="allowRenegotiate">FALSE</Set>
              <Set name="Port">%%zimbraMailSSLPort%%</Set>
</pre>
 
Restart the mailbox service
zmmailboxdctl restart
 
====Strict Transport Security (HSTS)====
Run the next command to add the proper header to the configuration:
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
Restart the zimbra services
zmcontrol restart
 
====Using Proxy====
The first step you need to check if you are using the proxy (nginx) or just mailboxd (jetty):
 
1. Verify if nginx is listening on port 443:
lsof -i :443
COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
java    6637 zimbra  96u  IPv4 198165      0t0  TCP *:https (LISTEN)
 
2. Enable nginx for https proxy, as '''zimbra''' user:
./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
 
3. Sanity check #1
zmprov gs `zmhostname` zimbraMailReferMode
# name zimbra86.zimbra.io
zimbraMailReferMode: reverse-proxied
 
4. Sanity check #2
lsof -i :443
COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
nginx  31418 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx  31419 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx  31420 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
nginx  31421 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
 
Now you have nginx properly enabled.
 
=====Fix the Logjam issue=====
Zimbra 8.0.x uses, by default, 1024 bit DH parameters.  However, the current best practice is use at least 2048 bits, and the Qualys SSL Labs test will give us the A+ by doing so.
 
As '''root''', create a new set of 2048 bit parameters. Note, this will take a few minutes:
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
 
Edit the following two files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
You need to add the following content, "ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';", before the include. It will look like:
ssl_verify_client      ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
=====Disable weak Ciphers=====
Disable weak Ciphers, thank you to [[ShanxT-Removing-Insecure-SSL-Ciphers|ShanxT]]. Please note, by eliminating these ciphers, some older clients may stop working:
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256</pre>
 
=====Tune the Cipher list=====
You will want to disable the RC4, run the nex command:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
 
Restart the mailbox service
zmmailboxdctl restart
 
=====The result=====
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 Proxy, in the SSL Labs test will be an A+ if you followed all the steps.
 
[[File:Ssllabs-zimbra-8.0.9-proxyaplus.png|800px]]
 
====Without Proxy====
=====Fix the Logjam issue=====
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.0.9, you need to upgrade to Zimbra Collaboration 8.6. But you can disable the next Ciphers, plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles in old computers/clients:
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
 
=====Tune the Cipher list=====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
 
Restart the mailbox service
zmmailboxdctl restart
 
=====The result=====
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 without Proxy, in the SSL Labs test will be an A if you followed all the steps, if you want to obtain the A+, please upgrade to Zimbra Collaboration 8.6 with Proxy:
 
[[File:Ssllabs-zimbra-8.0.9-noproxy.png|800px]]
 
==Additional Content==
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 


{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
https://wiki.zimbra.com/wiki/Cipher_suites
{{NeedSME|SME1|SME2|Copyeditor}}

Latest revision as of 06:50, 4 January 2022

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2022-01-4  




0.00
(0 votes)


Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search