How to obtain an A+ in the Qualys SSL Labs Security Test: Difference between revisions

(Replaced content with "__FORCETOC__ <div class="col-md-12 ibox-content"> = How to obtain an A+ in the Qualys SSL Labs security test = {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} {{WIP}} == Purpose == List...")
 
(42 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{WIP}}{{Article Infobox|{{admin}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.0}}}}
__FORCETOC__
=How to obtain an A+ in the Qualys SSL Labs security test=
<div class="col-md-12 ibox-content">
==Purpose==
= How to obtain an A+ in the Qualys SSL Labs security test =
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
{{WIP}}
 
== Purpose ==
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.


==Resolution==
== Resolution ==
Until have an option in the Admin Console, all of this Wiki is using the CLI.
 
===Zimbra Collaboration 8.7===
Work in progress
 
===Zimbra Collaboration 8.6 & 8.5===
====Fix the Logjam issue====
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
 
Like '''root''', create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
 
Edit the next 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
You need to add the next content, ssl_dhparam '''/opt/zimbra/conf/dhparams.pem''';, before the include, will looks like:
ssl_verify_client      ${ssl.clientcertmode.default};
ssl_verify_depth        ${ssl.clientcertdepth.default};
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
====Tune the Cipher list====
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
Restart the proxy
zmproxyctl restart
 
====Strict Transport Security (HSTS)====
Like '''roor''' user, edit the next file '''/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template''' and add in the section '''server {''' the next content :
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
 
====Session resumption (caching)====
Like '''roor''' user, add the next content after the '''add_header''' that you added in the previous step:
ssl_session_cache shared:SSL:50m;
ssl_session_timeout 5m;
 
Then restart the proxy like '''zimbra''' user:
zmproxyctl restart
 
====The result====
The result in the SSL Labs test will be:
 
[[File:Zimbra86-aplus-001.png|800px]]
 
===Zimbra Collaboration 8.0.9===
====Generate a SSL Certiricate with SHA256====
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
/opt/zimbra/bin/zmcertmgr
 
And change this line:
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
For the next one, adding the -sha256 to the OpenSSL command:
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
Then you can generate the new CSR, this time with a SHA256, [https://wiki.zimbra.com/wiki/Administration_Console_and_CLI_Certificate_Tools '''follow the next Wiki'''].
 
====Fix the Logjam issue====
Zimbra Collaboration 8.0.9 can't fix the issue because the DH Cipher keysize is hardcoded in Java 1.7. You need to upgrade to Zimbra Collaboration 8.6.
 
====Tune the Cipher list====
You will want to disable the RC4, run the nex command:
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5
zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
zmcontrol restart
 
====Disable SSLv3 to fix the Poodle====
Follow [http://wiki.zimbra.com/wiki/How_to_disable_SSLv3 '''the next Wiki to disable SSLv3'''] in your Zimbra Collaboration 8.0.x environment.
 
====The result====
The result using a valid SSL commercial certificate, and Zimbra Collaboration 8.0.9 Proxy, in the SSL Labs test will be an F, so you need to think to use a Proxy based in 8.6 if you want to keep your environment secure:
 
Scenario with Single-Server and a Proxy in Zimbra Collaboration 8.6 on front:
 
[[File:Zimbra-mixenvironment-001.png|800px]]
 
Scenario with Multi-Server and a Proxy in Zimbra Collaboration 8.6 on front:
 
[[File:Zimbra-mixenvironment-002.png|800px]]
 
The result of the test '''without''' Proxy in 8.6:
[[File:Ssllabs-zimbra-8.0.9-002.png|800px]]
 
==Additional Content==
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 


{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
https://wiki.zimbra.com/wiki/Cipher_suites
{{NeedSME|SME1|SME2|Copyeditor}}

Latest revision as of 06:50, 4 January 2022

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2022-01-4  




0.00
(0 votes)


Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search