How to obtain an A+ in the Qualys SSL Labs Security Test: Difference between revisions

No edit summary
(Replaced content with "__FORCETOC__ <div class="col-md-12 ibox-content"> = How to obtain an A+ in the Qualys SSL Labs security test = {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} {{WIP}} == Purpose == List...")
 
Line 9: Line 9:


== Resolution ==
== Resolution ==
This wiki requires using the CLI as some options are not available via the Admin Console. '''Please note''': obtaining the best results via the SSL Labs test may not align with your business requirements or environment (e.g. you are still running old equipment like Windows XP, use older Java clients, etc.).  Tune your environment according to your needs.


Transport Layer Security (TLS) encrypts data sent over the Internet to ensure that eavesdroppers and hackers are unable to see what you transmit which is particularly useful for private and sensitive information such as passwords, credit card numbers, and personal correspondence. (further reading: https://www.internetsociety.org/deploy360/tls/basics)
https://wiki.zimbra.com/wiki/Cipher_suites
 
In this article you will learn how to configure Zimbra to use only strong encryption ciphers for TLS.
 
= Generate ssl_ciphers for use with zimbraReverseProxySSLCiphers =
 
Since encryption is always evolving it is recommended to use Mozilla SSL Config generator that you can find at https://ssl-config.mozilla.org/
 
Select <code>Intermediate</code> and <code>Nginx</code> (Zimbra proxy is based on Nginx) at the time of writing this article this will select nginx 1.17.7 and OpenSSL 1.1.1d. The tool also reports the oldest supported clients that work with this configuration: Firefox 27, Android 4.4.2, Chrome 31, Edge, IE 11 on Windows 7, Java 8u31, OpenSSL 1.0.1, Opera 20, and Safari 9.
 
From the generated config file copy the value from <code>ssl_ciphers</code>:
 
<pre>ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;</pre>
= Configuring Zimbra =
 
Configure Zimbra to use the above ciphers, and enable TLSv1.2 and TLSv1.3 like this:
 
<pre>zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
 
zmprov -l mcf zimbraReverseProxySSLCiphers 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384'
 
zmproxyctl restart</pre>
Also configure Zimbra mailbox to allow the use of TLSv1.3. Open in a text editor <code>/opt/zimbra/conf/localconfig.xml</code> find the line <code>mailboxd_java_options</code> and set <code>TLSv1.2,TLSv1.3</code> in <code>https.protocols</code> and <code>jdk.tls.client.protocols</code>. Example result:
 
<pre>&lt;key name=&quot;mailboxd_java_options&quot;&gt;
  &lt;value&gt;-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true&lt;/value&gt;
&lt;/key&gt;</pre>
Then restart mailbox, or reboot your server:
 
<pre>zmmailboxdctl restart</pre>
= Generate DH parameters =
 
Generating DH parameter improves key exchange and mitigates against Logjam attack. Run as Zimbra user. Further reading: https://weakdh.org/
 
<pre>su - zimbra
/opt/zimbra/common/bin/openssl dhparam -out /opt/zimbra/conf/dhparam.pem.zcs 3072
zmprov mcf zimbraSSLDHParam /opt/zimbra/conf/dhparam.pem.zcs</pre>
Reboot the server.
 
= Configure additional HTTP headers =
 
The following headers will:
 
* Enable HTTP Strict Transport Security (HSTS)
* Disable search indexing of your server by Google et al.
 
<pre>zmprov mcf +zimbraResponseHeader &quot;Strict-Transport-Security: max-age=31536000; includeSubDomains&quot;
zmprov mcf +zimbraResponseHeader &quot;X-XSS-Protection: 1; mode=block&quot;
zmprov mcf +zimbraResponseHeader &quot;X-Content-Type-Options: nosniff&quot;
zmprov mcf +zimbraResponseHeader &quot;X-Robots-Tag: noindex&quot;
zmprov mcf zimbraMailKeepOutWebCrawlers TRUE
zmmailboxdctl restart</pre>
= Validate your settings online using SSL Labs =
 
Go to https://www.ssllabs.com/ssltest/analyze.html and enter the the domain name of your Zimbra server. If you followed the steps in this article you should receive an A+ score and there should be no mention of weak ciphers in the report. This article was written in September 2021. In the report take a look at the client devices listed under <code>Handshake Simulation</code> these will give you an idea of the devices your users can use to connect to your Zimbra server. Also validate there are no weak ciphers listed under <code>Cipher Suites</code>.

Latest revision as of 06:50, 4 January 2022

How to obtain an A+ in the Qualys SSL Labs security test

   KB 22051        Last updated on 2022-01-4  




0.00
(0 votes)


Purpose

List the steps, per release, to obtain an A+ in the Qualys SSL Labs Security Test.

Resolution

https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search