How to obtain an A+ in the Qualys SSL Labs Security Test: Difference between revisions
Line 53: | Line 53: | ||
[[File:Zimbra86-aplus-001.png|800px]] | [[File:Zimbra86-aplus-001.png|800px]] | ||
====Without Proxy==== | |||
=====Fix the Logjam issue===== | |||
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. | |||
=====Tune the Cipher list===== | |||
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc, sometimes if you copy/paste all this list you will need to reintroduce the one that fails: | |||
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 | |||
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 | |||
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA</pre> | |||
Restart the mailbox service | |||
zmmailboxdctl restart | |||
=====Strict Transport Security (HSTS)===== | |||
Like zimbra user edit the next file /opt/zimbra/jetty/etc/jetty.xml.in and search by: | |||
<pre> <Call name="addRule"> | |||
<Arg> | |||
<New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule"> | |||
<Set name="pattern">/Microsoft-Server-ActiveSync/*</Set> | |||
<Set name="replacement">/service/extension/zimbrasync</Set> | |||
</New> | |||
</Arg> | |||
</Call></pre> | |||
Write just above the next: | |||
<pre> <Call name="addRule"> | |||
<Arg> | |||
<New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> | |||
<Set name="pattern">*</Set> | |||
<Set name="name">Strict-Transport-Security</Set> | |||
<Set name="value">max-age=15768000; includeSubDomains</Set> | |||
</New> | |||
</Arg> | |||
</Call> | |||
</pre> | |||
Restart the mailbox service | |||
zmmailboxdctl restart | |||
=====The result===== | |||
The result in the SSL Labs test will be: | |||
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]] | |||
===Zimbra Collaboration 8.0.9=== | ===Zimbra Collaboration 8.0.9=== |
Revision as of 23:21, 25 June 2015
Article Information |
---|
This article applies to the following ZCS versions. |
How to obtain an A+ in the Qualys SSL Labs security test
Purpose
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
Resolution
Until have an option in the Admin Console, all of this Wiki is using the CLI.
Zimbra Collaboration 8.7
Work in progress
Zimbra Collaboration 8.6 & 8.5
Using Proxy
Fix the Logjam issue
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
Like root, create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf openssl dhparam -out dhparams.pem 2048 chown zimbra:zimbra dhparams.pem
Edit the next 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
You need to add the next content, ssl_dhparam /opt/zimbra/conf/dhparams.pem;, before the include, will looks like:
ssl_verify_client ${ssl.clientcertmode.default}; ssl_verify_depth ${ssl.clientcertdepth.default}; ssl_dhparam /opt/zimbra/conf/dhparams.pem; include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
Tune the Cipher list
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Restart the proxy
zmproxyctl restart
Strict Transport Security (HSTS)
Like roor user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add in the section server { the next content :
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Session resumption (caching)
Like roor user, add the next content after the add_header that you added in the previous step:
ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m;
Then restart the proxy like zimbra user:
zmproxyctl restart
The result
The result in the SSL Labs test will be:
Without Proxy
Fix the Logjam issue
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role.
Tune the Cipher list
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc, sometimes if you copy/paste all this list you will need to reintroduce the one that fails:
zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 zmprov mcf +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA
Restart the mailbox service
zmmailboxdctl restart
Strict Transport Security (HSTS)
Like zimbra user edit the next file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
<Call name="addRule"> <Arg> <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule"> <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set> <Set name="replacement">/service/extension/zimbrasync</Set> </New> </Arg> </Call>
Write just above the next:
<Call name="addRule"> <Arg> <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule"> <Set name="pattern">*</Set> <Set name="name">Strict-Transport-Security</Set> <Set name="value">max-age=15768000; includeSubDomains</Set> </New> </Arg> </Call>
Restart the mailbox service
zmmailboxdctl restart
The result
The result in the SSL Labs test will be:
Zimbra Collaboration 8.0.9
Generate a SSL Certiricate with SHA256
Per default, Zimbra Collaboration 8.0.x didn't generate a valid CSR with a 256bit hash. To force it, edit the next file as root:
/opt/zimbra/bin/zmcertmgr
And change this line:
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
For the next one, adding the -sha256 to the OpenSSL command:
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
Then you can generate the new CSR, this time with a SHA256, follow the next Wiki.
Fix the Logjam issue
Zimbra Collaboration 8.0.9 can't fix the issue because the DH Cipher keysize is hardcoded in Java 1.7. You need to upgrade to Zimbra Collaboration 8.6.
Tune the Cipher list
You will want to disable the RC4, run the nex command:
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 zmprov modifyConfig +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA zmcontrol restart
Disable SSLv3 to fix the Poodle
Follow the next Wiki to disable SSLv3 in your Zimbra Collaboration 8.0.x environment.
The result
The result using a valid SSL commercial certificate, and Zimbra Collaboration Single-Server 8.0.9 Proxy, in the SSL Labs test will be an F, so you need to upgrade to Zimbra Collaboration 8.6 if you want to keep your environment secure:
Additional Content
- Thank you to http://managedhosting.de for the original wiki about disable logjam - https://wiki.zimbra.com/wiki/Security/Collab/logjam
- Thank you to Irontec to wrote the next Blog entry about how to generate CSR with hash SHA256.