How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi Fabio,
We have a ton of work to improve, so I don't think we have a stable Beta to share with the public, but I'm trying to have a Beta like we had in the past.
Keep in touch.
Best regards
We have a ton of work to improve, so I don't think we have a stable Beta to share with the public, but I'm trying to have a Beta like we had in the past.
Keep in touch.
Best regards
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi Jorge,
Thanks for creating this article! I've ran into some problems with SSL test however, and I keep only receiving a C Grade.
My system: Zimbra 8.0.9 on CentOS 6.5, using Zimbra Proxy
I've gone through all of the steps in the wiki article, but it looks like the zmprov commands are not disabling all of the insecure ciphers.
Based on your other posts, I think I've managed to find the necessary commands to get an A+ on Zimbra 8.0.9:
sudo -i
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
Add:
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
To:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
su - zimbra
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
zmproxyctl restart
Hope this helps!
Thanks for creating this article! I've ran into some problems with SSL test however, and I keep only receiving a C Grade.
My system: Zimbra 8.0.9 on CentOS 6.5, using Zimbra Proxy
I've gone through all of the steps in the wiki article, but it looks like the zmprov commands are not disabling all of the insecure ciphers.
Based on your other posts, I think I've managed to find the necessary commands to get an A+ on Zimbra 8.0.9:
sudo -i
cd /opt/zimbra/conf
openssl dhparam -out dhparams.pem 2048
chown zimbra:zimbra dhparams.pem
Add:
ssl_dhparam /opt/zimbra/conf/dhparams.pem;
To:
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template
/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template
su - zimbra
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
zmproxyctl restart
Hope this helps!
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Oops, I spoke too soon: after doing a server restart, it appears that SSLv3 has been re-enabled.
I have redone the steps listed here:
https://wiki.zimbra.com/wiki/How_to_dis ... _.2F_8.5.x
But the SSL test still shows that SSLv3 is enabled.
I can confirm that the updated Nginx files are on the server:
$ /opt/zimbra/conf/nginx/includes$ cat * | grep ssl_prot
$ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Any ideas what may be causing this?
Thanks!
I have redone the steps listed here:
https://wiki.zimbra.com/wiki/How_to_dis ... _.2F_8.5.x
But the SSL test still shows that SSLv3 is enabled.
I can confirm that the updated Nginx files are on the server:
$ /opt/zimbra/conf/nginx/includes$ cat * | grep ssl_prot
$ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
Any ideas what may be causing this?
Thanks!
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
I will test this in 30 minutes and let you know
Best regards
Best regards
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi AWSguy,
I can't get the A+ in 8.0.9, The proxy didn't take properly the dhparams file in 2048bits. Also to disable the Poodle, I've needed to follow the nginx, and the jetty steps, then I had Poodle completly disabled.
This is my results in 8.0.9, with all the steps of the SSL Labs Wiki that I've wrote for 8.0.9 using Proxy:
[View:https://www.ssllabs.com/ssltest/analyze ... bra.io:0:0]
Let me know if you are able to obtain the A+, as per my previous comment, I'm not able to fix the TLS_FALLBACK_SCSV:
[View:https://community.zimbra.com/collaborat ... 586272:0:0]
Best regards
I can't get the A+ in 8.0.9, The proxy didn't take properly the dhparams file in 2048bits. Also to disable the Poodle, I've needed to follow the nginx, and the jetty steps, then I had Poodle completly disabled.
This is my results in 8.0.9, with all the steps of the SSL Labs Wiki that I've wrote for 8.0.9 using Proxy:
[View:https://www.ssllabs.com/ssltest/analyze ... bra.io:0:0]
Let me know if you are able to obtain the A+, as per my previous comment, I'm not able to fix the TLS_FALLBACK_SCSV:
[View:https://community.zimbra.com/collaborat ... 586272:0:0]
Best regards
-
- Elite member
- Posts: 1096
- Joined: Sat Sep 13, 2014 12:47 am
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
I have gone through these steps a couple of times with zimbra 8.6 P2 and still cannot get better than a B rating.
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
and
Uses common DH prime Yes Replace with custom DH parameters if possible (more info)
Any suggestions as to what could be wrong?
Thought: zimbra is running on a VM - Does openssl look at hardware signatures when generating the 2048 key? Could the common signature of VM emulated hardware be causing an issue?
This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »
and
Uses common DH prime Yes Replace with custom DH parameters if possible (more info)
Any suggestions as to what could be wrong?
Thought: zimbra is running on a VM - Does openssl look at hardware signatures when generating the 2048 key? Could the common signature of VM emulated hardware be causing an issue?
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Hi,
Are you running Proxy or not? I will test the steps using 8.5P2. What steps did you follow? I assume the steps for your environment with or without proxy.
Best regards!
Are you running Proxy or not? I will test the steps using 8.5P2. What steps did you follow? I assume the steps for your environment with or without proxy.
Best regards!
-
- Elite member
- Posts: 1096
- Joined: Sat Sep 13, 2014 12:47 am
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
My hppts template files all contain the line
ssl_protocols ${web.ssl.protocols};
Where does web.ssl.protocols get set?
This is a system that has been upgraded from 6.0.4 -> almost every version up to -> 7.2.6 -> 8.5 using AJCody notes -> 8.5.1 -> 8.6 -> 8.6 P1 -> 8.6 P2
ssl_protocols ${web.ssl.protocols};
Where does web.ssl.protocols get set?
This is a system that has been upgraded from 6.0.4 -> almost every version up to -> 7.2.6 -> 8.5 using AJCody notes -> 8.5.1 -> 8.6 -> 8.6 P1 -> 8.6 P2
- jorgedlcruz
- Zimbra Alumni
- Posts: 2782
- Joined: Thu May 22, 2014 4:47 pm
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
So you are running 8.6P2? Not 8.5 P2? And proxy o without proxy? I guess proxy
Best regards
Best regards
-
- Elite member
- Posts: 1096
- Joined: Sat Sep 13, 2014 12:47 am
How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki
Yes. Sorry, I have just edited my previous post. It is 8.6 P2 with proxy. Can you tell me where the web.ssl.protocols value gets set?