How to obtain an A+ in the Qualys SSL Labs Security Test
Article Information |
---|
This article applies to the following ZCS versions. |
How to obtain an A+ in the Qualys SSL Labs security test
Purpose
List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.
Resolution
Until have an option in the Admin Console, all of this Wiki is using the CLI.
Zimbra Collaboration 8.7
Work in progress
Zimbra Collaboration 8.6 & 8.5
Fix the Logjam issue
Zimbra 8.6 has per default 1024-bit DH ciphers, as they are secure, the best practice is use at least 2048, and the Qualys SSL Labs test will give us the A+ using the correct ones.
Like root, create a new 2048 key, will take some minutes:
cd /opt/zimbra/conf openssl dhparam -out dhparams.pem 2048 chown zimbra:zimbra dhparams.pem
Edit the next 2 files:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
You need to add the next content, ssl_dhparam /opt/zimbra/conf/dhparams.pem;, before the include, will looks like:
ssl_verify_client ${ssl.clientcertmode.default}; ssl_verify_depth ${ssl.clientcertdepth.default}; ssl_dhparam /opt/zimbra/conf/dhparams.pem; include ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
Tune the Cipher list
Like zimbra user, run the next command to tune the Ciphers and disable the RC4, etc:
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
Restart the proxy
zmproxyctl restart
Strict Transport Security (HSTS)
Like roor user, edit the next file /opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template and add in the section server { the next content :
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
Session resumption (caching)
Like roor user, add the next content after the add_header that you added in the previous step:
ssl_session_cache shared:SSL:50m; ssl_session_timeout 5m;
Then restart the proxy like zimbra user:
zmproxyctl restart
The result
The result in the SSL Labs test will be:
Zimbra Collaboration 8.0.9
Work in progress
Additional Content
- Thank you to http://managedhosting.de for the original wiki about disable logjam - https://wiki.zimbra.com/wiki/Security/Collab/logjam