Difference between revisions of "How to obtain an A+ in the Qualys SSL Labs Security Test"

m (Strict Transport Security (HSTS) & Session resumption (caching))
 
Line 1: Line 1:
{{BC|Certified}}
 
 
__FORCETOC__
 
__FORCETOC__
 
<div class="col-md-12 ibox-content">
 
<div class="col-md-12 ibox-content">
 
= How to obtain an A+ in the Qualys SSL Labs security test =
 
= How to obtain an A+ in the Qualys SSL Labs security test =
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}|{{ZCS 8.6}}|{{ZCS 8.0}}|}}
+
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
 +
{{WIP}}
  
 
== Purpose ==
 
== Purpose ==
Line 11: Line 11:
 
This wiki requires using the CLI as some options are not available via the Admin Console. '''Please note''': obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.).  Tune your environment according to your needs.
 
This wiki requires using the CLI as some options are not available via the Admin Console. '''Please note''': obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.).  Tune your environment according to your needs.
  
=== [[Security/Collab/87|Zimbra Collaboration 8.7.x]] & 8.8===
+
Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)
ZCS 8.7.x/8.8 defaults to using a 2048-bit DH parameter ([https://bugzilla.zimbra.com/show_bug.cgi?id=99558 bug 99558]) which come from [http://tools.ietf.org/html/rfc3526#page-3 RFC3526 IKE 2048-bit PEM (group 14)] for anything in ZCS that utilizes OpenSSL.
 
  
==== Custom or Stronger DH Parameters ====
+
In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS.
In 8.7.x you can generate new/custom DH parameters using a new utility '''zmdhparam''' which calls openssl dhparam.
 
zmdhparam set -new 2048
 
or more secure but it takes more time to generate:
 
zmdhparam set -new 3072
 
  
==== Tune the Cipher list ====
+
= Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers =
As '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
  
Restart the proxy:
+
Since encryption is always evolving it is recommended to use Mozilla SSL Config generator that you can find at https://ssl-config.mozilla.org/
zmproxyctl restart
 
  
==== Strict Transport Security (HSTS) & Session resumption (caching) ====
+
Select <code>Intermediate</code> and <code>Nginx</code> (Zimbra proxy is based on Nginx) at the time of writing this article this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.
Run the next command to add the proper headers to the configuration:
 
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
  
Restart the zimbra services
+
From the generated config file copy the value from <code>ssl_ciphers</code>:
zmcontrol restart
 
  
If you want to disable some remaining weak ciphers, please take a look to the [[How_to_obtain_an_A%2B_in_the_Qualys_SSL_Labs_Security_Test#Disable_weak_Ciphers|next step as well]].
+
<pre>ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;</pre>
 +
= Configuring Zimbra =
  
==== The result ====
+
Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:
The result in the SSL Labs test will be:
 
  
[[File:Ssllabs-zimbra-8.7-proxy.png|800px]]
+
<pre>zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
 +
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
  
=== [[Security/Collab/86|Zimbra Collaboration 8.6]] & 8.5 ===
+
zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
==== Using Proxy ====
 
===== Fix the Logjam issue =====
 
ZCS 8.6 has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.
 
  
As '''zimbra''', create a new 2048 key (it make take several minutes):
+
zmproxyctl restart</pre>
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
+
Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor <code>/opt/zimbra/conf/localconfig.xml</code> find the line <code>mailboxd_java_options</code> and set <code>TLSv1.2,TLSv1.3</code> in <code>https.protocols</code> and <code>jdk.tls.client.protocols</code>. Example result:
  
Edit the following two files:
+
<pre>&lt;key name=&quot;mailboxd_java_options&quot;&gt;
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
+
  &lt;value&gt;-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true&lt;/value&gt;
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
+
&lt;/key&gt;</pre>
 +
Then restart mailbox, or reboot your server:
  
Add a '''ssl_dhparam''' entry before the '''include''' so that you end up with something like the following:
+
<pre>zmmailboxdctl restart</pre>
ssl_verify_client      ${ssl.clientcertmode.default};
+
= Generate DH parameters =
ssl_verify_depth        ${ssl.clientcertdepth.default};
 
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
 
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
  
===== Tune the Cipher list =====
+
Generating DH parameter improves key exchange and mitigates against Logjam attack. Run as Zimbra user. Further reading: https://weakdh.org/
As '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
  
Restart the proxy
+
<pre>su - zimbra
zmproxyctl restart
+
/opt/zimbra/common/bin/openssl dhparam -out /opt/zimbra/conf/dhparam.pem.zcs 3072
 +
zmprov mcf zimbraSSLDHParam /opt/zimbra/conf/dhparam.pem.zcs</pre>
 +
Reboot the server.
  
===== Strict Transport Security (HSTS) =====
+
= Configure additional HTTP headers =
As '''zimbra''', edit these files:
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
  
and add the following in the '''server { ... }''' section:
+
The following headers will:
add_header Strict-Transport-Security "max-age=31536000";
 
  
===== Session resumption (caching) =====
+
* Enable HTTP Strict Transport Security (HSTS)
As '''zimbra''', add the following content after the '''add_header''' that you added in the previous step:
+
* Disable search indexing of your server by Google et al.
ssl_session_cache shared:SSL:50m;
 
ssl_session_timeout 5m;
 
  
As '''zimbra''', restart the proxy:
+
<pre>zmprov mcf +zimbraResponseHeader &quot;Strict-Transport-Security: max-age=31536000; includeSubDomains&quot;
zmproxyctl restart
+
zmprov mcf +zimbraResponseHeader &quot;X-XSS-Protection: 1; mode=block&quot;
 +
zmprov mcf +zimbraResponseHeader &quot;X-Content-Type-Options: nosniff&quot;
 +
zmprov mcf +zimbraResponseHeader &quot;X-Robots-Tag: noindex&quot;
 +
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
 +
zmmailboxdctl restart</pre>
 +
= Validate your settings online using SSL Labs =
  
===== The result =====
+
Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under <code>Handshake Simulation</code> these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under <code>Cipher Suites</code>.
The result in the SSL Labs test will be:
 
 
 
[[File:Zimbra86-aplus-001.png|800px]]
 
 
 
==== Without Proxy ====
 
Thank you to Alex that wrote [http://blog.theatticnetwork.net/2014/11/qualys-a-rating-with-zimbra/ '''these steps'''] months ago.
 
 
 
===== Fix the Logjam issue =====
 
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.5 or above without use Proxy in front, please install the Proxy role. Also you can disable the next Cipher plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles:
 
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA
 
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
 
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
 
 
 
===== Tune the Cipher list =====
 
As user '''zimbra''', run the next command to tune the Ciphers and disable the RC4, etc:
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_GCM_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA</pre>
 
 
 
Restart the mailbox service
 
zmmailboxdctl restart
 
 
 
===== Strict Transport Security (HSTS) =====
 
As '''zimbra''' edit the file /opt/zimbra/jetty/etc/jetty.xml.in and search by:
 
<pre>
 
        <Call name="addRule">
 
        <Arg>
 
        <New class="org.eclipse.jetty.rewrite.handler.RewritePatternRule">
 
            <Set name="pattern">/Microsoft-Server-ActiveSync/*</Set>
 
            <Set name="replacement">/service/extension/zimbrasync</Set>
 
        </New>
 
        </Arg>
 
        </Call></pre>
 
Add the following just before that entry:
 
<pre>
 
        <Call name="addRule">
 
          <Arg>
 
              <New class="org.eclipse.jetty.rewrite.handler.HeaderPatternRule">
 
                <Set name="pattern">*</Set>
 
                <Set name="name">Strict-Transport-Security</Set>
 
                <Set name="value">max-age=15768000; includeSubDomains</Set>
 
              </New>
 
          </Arg>
 
        </Call>
 
</pre>
 
 
 
Restart the mailbox service
 
zmmailboxdctl restart
 
 
 
===== The result =====
 
The result if you followed all the previous steps in the SSL Labs test will be:
 
 
 
[[File:Ssllabs-zimbra-8.6.0-noproxy.png|800px]]
 
 
 
If the Logjam steps were not performed, you will obtain a B.
 
 
 
=== Zimbra Collaboration 8.0.9 ===
 
==== Generate a SSL Certificate with SHA256 ====
 
By default, ZCS 8.0.x generated CSRs with SHA1 instead of the now preferred SHA256 hash.  Edit /opt/zimbra/bin/zmcertmgr as root to change the default.
 
 
 
Change this line:
 
${openssl} req -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
 
 
To the following (adding the -sha256 to the openssl command):
 
${openssl} req -sha256 -new -${DIGEST} -nodes -out ${current_csr} -keyout ${current_key} \
 
 
 
Use the [[Administration Console and CLI Certificate Tools]] to generate the new CSR (now with a SHA256 hash).
 
 
 
==== Disable SSLv3 to fix POODLE  ====
 
Follow [[How to disable SSLv3]] to disable SSLv3 in your ZCS 8.0.x environment.
 
 
 
==== Disable Client-Initiated SSL renegotiation ====
 
Edit the Jetty template and search by org.eclipse.jetty.server.ssl.SslSelectChannelConnector.  Before the '''Set name="Port"''' line, add a '''allowRenegotiate False''' as follows:
 
 
 
<pre>
 
            <New id="ssl" class="org.eclipse.jetty.server.ssl.SslSelectChannelConnector">
 
              <Set name="allowRenegotiate">FALSE</Set>
 
              <Set name="Port">%%zimbraMailSSLPort%%</Set>
 
</pre>
 
 
 
Restart the mailbox service
 
zmmailboxdctl restart
 
 
 
==== Strict Transport Security (HSTS) ====
 
Add the proper header to the configuration:
 
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
 
 
 
Restart the zimbra services
 
zmcontrol restart
 
 
 
==== Using Proxy ====
 
The first step you need to check if you are using the proxy (nginx) or just mailboxd (jetty):
 
 
 
1. Verify if nginx is listening on port 443, in this case you can see that is jetty and not nignx:
 
lsof -i :443
 
COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
 
java    6637 zimbra  96u  IPv4 198165      0t0  TCP *:https (LISTEN)
 
 
 
2. Enable nginx for https, for POP3 and IMAP reverseproxy, as '''zimbra''' user:
 
./libexec/zmproxyconfig -e -w -o -a 8080:80:8443:443 -x https -H `zmhostname`
 
./libexec/zmproxyconfig -e -m -o -i 7143:143:7993:993 -p 7110:110:7995:995 -H `zmhostname`
 
 
 
3. Sanity check #1
 
zmprov gs `zmhostname` zimbraMailReferMode
 
# name zimbra8.zimbra.io
 
zimbraMailReferMode: reverse-proxied
 
 
 
4. Sanity check #2
 
lsof -i :443
 
COMMAND  PID  USER  FD  TYPE DEVICE SIZE/OFF NODE NAME
 
nginx  31418 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
 
nginx  31419 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
 
nginx  31420 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
 
nginx  31421 zimbra  10u  IPv4 314934      0t0  TCP *:https (LISTEN)
 
 
 
Now you have nginx properly enabled.
 
 
 
===== Fix the Logjam issue =====
 
Zimbra 8.0.x has a default 1024-bit DH parameter. Best practice is to use at least 2048-bit and that is the minimum for an A+ with Qualys SSL Labs.
 
 
 
As '''zimbra''', create a new 2048 key (it make take several minutes):
 
openssl dhparam -out /opt/zimbra/conf/dhparam.pem 2048
 
 
 
Edit the following two files:
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
 
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
 
 
 
Add a '''ssl_dhparam''' entry before the '''include''' so that you end up with something like the following:
 
ssl_verify_client      ${ssl.clientcertmode.default};
 
ssl_verify_depth        ${ssl.clientcertdepth.default};
 
ssl_dhparam /opt/zimbra/conf/dhparam.pem;
 
include                ${core.includes}/${core.cprefix}.web.https.mode-${web.mailmode};
 
 
 
===== Disable weak Ciphers =====
 
Disable weak Ciphers, thank you to [[ShanxT-Removing-Insecure-SSL-Ciphers|ShanxT]]. Please note, by eliminating these ciphers, some older clients may stop working:
 
<pre>zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256</pre>
 
 
 
===== Tune the Cipher list =====
 
Disable RC4 ciphers with the following command:
 
zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
 
 
 
Restart the mailbox service
 
zmmailboxdctl restart
 
 
 
===== The result =====
 
The result using a valid SSL commercial certificate, and ZCS 8.0.9 Proxy, in the SSL Labs test will be an A+ if you followed all the steps.
 
 
 
[[File:Ssllabs-zimbra-8.0.9-proxyaplus.png|800px]]
 
 
 
==== Without Proxy ====
 
===== Fix the Logjam issue =====
 
At this moment, Zimbra can't provide any solution to fix Logjam in Zimbra Collaboration 8.0.9, you need to upgrade to Zimbra Collaboration 8.6. But you can disable the following Ciphers, plus the next section to avoid logjam, but all the DHE Cipher will be disabled and can cause some troubles in old computers/clients:
 
zmprov mcf +zimbraSSLExcludeCipherSuites \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 
+zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 
+zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256
 
 
 
===== Tune the Cipher list =====
 
As '''zimbra''', run the following command to disable RC4 ciphers:
 
zmprov modifyConfig +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 \
 
  +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA \
 
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 \
 
  +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA \
 
  +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA
 
 
 
Restart the mailbox service
 
zmmailboxdctl restart
 
 
 
===== The result =====
 
The result, using a valid SSL commercial certificate and Zimbra Collaboration Single-Server 8.0.9 without Proxy, in the SSL Labs test will be an A if you followed all the steps. If you want to obtain the A+, please upgrade to Zimbra Collaboration 8.6 with Proxy:
 
 
 
[[File:Ssllabs-zimbra-8.0.9-noproxy.png|800px]]
 
 
 
== Additional Content ==
 
* Thank you to [http://managedhosting.de http://managedhosting.de] for the original wiki about disable logjam - [https://wiki.zimbra.com/wiki/Security/Collab/logjam https://wiki.zimbra.com/wiki/Security/Collab/logjam]
 
* Thank you [http://blog.irontec.com/crear-certificados-ssl-con-firma-sha256-en-zimbra/ '''to Irontec to wrote the next Blog entry'''] about how to generate CSR with hash SHA256.
 
 
 
{{Article Footer|Zimbra Collaboration 8.7, 8.6, 8.5, 8.0|06/22/2015}}
 
{{NeedSME|Jorge|Phil|Gayle B.}}
 

Latest revision as of 07:06, 4 September 2021

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2021-09-4  




0.00
(0 votes)


Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

This wiki requires using the CLI as some options are not available via the Admin Console. Please note: obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.). Tune your environment according to your needs.

Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)

In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS.

Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers

Since encryption is always evolving it is recommended to use Mozilla SSL Config generator that you can find at https://ssl-config.mozilla.org/

Select Intermediate and Nginx (Zimbra proxy is based on Nginx) at the time of writing this article this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.

From the generated config file copy the value from ssl_ciphers:

ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;

Configuring Zimbra

Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:

zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'

zmproxyctl restart

Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor /opt/zimbra/conf/localconfig.xml find the line mailboxd_java_options and set TLSv1.2,TLSv1.3 in https.protocols and jdk.tls.client.protocols. Example result:

<key name="mailboxd_java_options">
  <value>-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true</value>
</key>

Then restart mailbox, or reboot your server:

zmmailboxdctl restart

Generate DH parameters

Generating DH parameter improves key exchange and mitigates against Logjam attack. Run as Zimbra user. Further reading: https://weakdh.org/

su - zimbra
/opt/zimbra/common/bin/openssl dhparam -out /opt/zimbra/conf/dhparam.pem.zcs 3072
zmprov mcf zimbraSSLDHParam /opt/zimbra/conf/dhparam.pem.zcs

Reboot the server.

Configure additional HTTP headers

The following headers will:

  • Enable HTTP Strict Transport Security (HSTS)
  • Disable search indexing of your server by Google et al.
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000; includeSubDomains"
zmprov mcf +zimbraResponseHeader "X-XSS-Protection: 1; mode=block"
zmprov mcf +zimbraResponseHeader "X-Content-Type-Options: nosniff"
zmprov mcf +zimbraResponseHeader "X-Robots-Tag: noindex"
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
zmmailboxdctl restart

Validate your settings online using SSL Labs

Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under Handshake Simulation these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under Cipher Suites.
Jump to: navigation, search