How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby jorgedlcruz » Sat Jun 27, 2015 11:43 am

Hi Fabio,

We have a ton of work to improve, so I don't think we have a stable Beta to share with the public, but I'm trying to have a Beta like we had in the past.



Keep in touch.



Best regards


Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
AWSguy
Posts: 12
Joined: Sat Sep 13, 2014 3:52 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby AWSguy » Sun Jun 28, 2015 2:17 pm

Hi Jorge,



Thanks for creating this article! I've ran into some problems with SSL test however, and I keep only receiving a C Grade.



My system: Zimbra 8.0.9 on CentOS 6.5, using Zimbra Proxy



I've gone through all of the steps in the wiki article, but it looks like the zmprov commands are not disabling all of the insecure ciphers.



Based on your other posts, I think I've managed to find the necessary commands to get an A+ on Zimbra 8.0.9:



sudo -i

cd /opt/zimbra/conf

openssl dhparam -out dhparams.pem 2048

chown zimbra:zimbra dhparams.pem



Add:

ssl_dhparam /opt/zimbra/conf/dhparams.pem;

To:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template



su - zimbra



zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'



zmproxyctl restart



Hope this helps!
AWSguy
Posts: 12
Joined: Sat Sep 13, 2014 3:52 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby AWSguy » Sun Jun 28, 2015 4:06 pm

Oops, I spoke too soon: after doing a server restart, it appears that SSLv3 has been re-enabled.



I have redone the steps listed here:

https://wiki.zimbra.com/wiki/How_to_disable_SSLv3#ZCS_8.0.x_.2F_8.5.x



But the SSL test still shows that SSLv3 is enabled.



I can confirm that the updated Nginx files are on the server:

$ /opt/zimbra/conf/nginx/includes$ cat * | grep ssl_prot

$ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;



Any ideas what may be causing this?



Thanks!
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby jorgedlcruz » Sun Jun 28, 2015 4:09 pm

I will test this in 30 minutes and let you know :)



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby jorgedlcruz » Sun Jun 28, 2015 5:47 pm

Hi AWSguy,


I can't get the A+ in 8.0.9, The proxy didn't take properly the dhparams file in 2048bits. Also to disable the Poodle, I've needed to follow the nginx, and the jetty steps, then I had Poodle completly disabled.


This is my results in 8.0.9, with all the steps of the SSL Labs Wiki that I've wrote for 8.0.9 using Proxy:


[View:https://www.ssllabs.com/ssltest/analyze.html?d=zimbra86.zimbra.io:0:0]


Let me know if you are able to obtain the A+, as per my previous comment, I'm not able to fix the TLS_FALLBACK_SCSV:


[View:https://community.zimbra.com/collaboration/f/1886/p/1139570/1586272#1586272:0:0]


Best regards

Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 920
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby liverpoolfcfan » Mon Jun 29, 2015 6:24 am

I have gone through these steps a couple of times with zimbra 8.6 P2 and still cannot get better than a B rating.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »

and

Uses common DH prime Yes Replace with custom DH parameters if possible (more info)

Any suggestions as to what could be wrong?

Thought: zimbra is running on a VM - Does openssl look at hardware signatures when generating the 2048 key? Could the common signature of VM emulated hardware be causing an issue?

User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby jorgedlcruz » Mon Jun 29, 2015 6:34 am

Hi,

Are you running Proxy or not? I will test the steps using 8.5P2. What steps did you follow? I assume the steps for your environment with or without proxy.



Best regards!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 920
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby liverpoolfcfan » Mon Jun 29, 2015 6:36 am

My hppts template files all contain the line



ssl_protocols ${web.ssl.protocols};



Where does web.ssl.protocols get set?



This is a system that has been upgraded from 6.0.4 -> almost every version up to -> 7.2.6 -> 8.5 using AJCody notes -> 8.5.1 -> 8.6 -> 8.6 P1 -> 8.6 P2
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2773
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby jorgedlcruz » Mon Jun 29, 2015 6:38 am

So you are running 8.6P2? Not 8.5 P2? And proxy o without proxy? I guess proxy



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Outstanding Member
Outstanding Member
Posts: 920
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Postby liverpoolfcfan » Mon Jun 29, 2015 6:39 am

Yes. Sorry, I have just edited my previous post. It is 8.6 P2 with proxy. Can you tell me where the web.ssl.protocols value gets set?

Return to “Administrators”

Who is online

Users browsing this forum: MSN [Bot] and 6 guests