Difference between revisions of "Security/Collab/87"

(Security Settings for Zimbra Collaboration 8.7 series)
(HSTS)
Line 26: Line 26:
 
</pre>
 
</pre>
  
=== HSTS ===
+
=== HTTP Strict Transport Security (HSTS) ===
 
WIP: [https://bugzilla.zimbra.com/show_bug.cgi?id=98938 bug 98938]
 
WIP: [https://bugzilla.zimbra.com/show_bug.cgi?id=98938 bug 98938]
  

Revision as of 20:18, 23 April 2015

Admin Article

Article Information

This article applies to the following ZCS versions.

  ZCS 8.7 Article  ZCS 8.7


Security Settings for Zimbra Collaboration 8.7 series

Proxy

DH parameters

Added support for the ssl_dhparam in proxy/nginx. The default DH parameter size is still 1024 bits. With the changes from bug 98852, it is now possible to use a custom (read stronger) key size. However, be aware that some clients may have issues with a size larger than 1024 bits (Java 7 for example, ref: http://httpd.apache.org/docs/trunk/ssl/ssl_faq.html#javadh).

See also:

Ciphers

Default zimbraReverseProxySSLCiphers setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96852):

zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!3DES:!MD5:!PSK:!RC4

HTTP Strict Transport Security (HSTS)

WIP: bug 98938

See also:

Mailboxd (Jetty)

Ciphers

Default zimbraSSLExcludeCipherSuites setting in 8.7.0 has been changed to exclude RC4 (ref: bug 96921):

zimbraSSLExcludeCipherSuites: .*_RC4_.*

HSTS

The configuration key, 'zimbraResponseHeader' can be used to set the HSTS header. For example (ref: bug 84796):

zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
Verified Against: Zimbra Collaboration 8.7 Date Created: 04/22/2015
Article ID: https://wiki.zimbra.com/index.php?title=Security/Collab/87 Date Modified: 2015-04-23



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search