How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi Fabio,

We have a ton of work to improve, so I don't think we have a stable Beta to share with the public, but I'm trying to have a Beta like we had in the past.



Keep in touch.



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
AWSguy
Posts: 12
Joined: Sat Sep 13, 2014 3:52 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by AWSguy »

Hi Jorge,



Thanks for creating this article! I've ran into some problems with SSL test however, and I keep only receiving a C Grade.



My system: Zimbra 8.0.9 on CentOS 6.5, using Zimbra Proxy



I've gone through all of the steps in the wiki article, but it looks like the zmprov commands are not disabling all of the insecure ciphers.



Based on your other posts, I think I've managed to find the necessary commands to get an A+ on Zimbra 8.0.9:



sudo -i

cd /opt/zimbra/conf

openssl dhparam -out dhparams.pem 2048

chown zimbra:zimbra dhparams.pem



Add:

ssl_dhparam /opt/zimbra/conf/dhparams.pem;

To:

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.default.template

/opt/zimbra/conf/nginx/templates/nginx.conf.web.https.template



su - zimbra



zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'



zmproxyctl restart



Hope this helps!
AWSguy
Posts: 12
Joined: Sat Sep 13, 2014 3:52 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by AWSguy »

Oops, I spoke too soon: after doing a server restart, it appears that SSLv3 has been re-enabled.



I have redone the steps listed here:

https://wiki.zimbra.com/wiki/How_to_dis ... _.2F_8.5.x



But the SSL test still shows that SSLv3 is enabled.



I can confirm that the updated Nginx files are on the server:

$ /opt/zimbra/conf/nginx/includes$ cat * | grep ssl_prot

$ ssl_protocols TLSv1 TLSv1.1 TLSv1.2;



Any ideas what may be causing this?



Thanks!
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

I will test this in 30 minutes and let you know :)



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi AWSguy,
I can't get the A+ in 8.0.9, The proxy didn't take properly the dhparams file in 2048bits. Also to disable the Poodle, I've needed to follow the nginx, and the jetty steps, then I had Poodle completly disabled.
This is my results in 8.0.9, with all the steps of the SSL Labs Wiki that I've wrote for 8.0.9 using Proxy:
[View:https://www.ssllabs.com/ssltest/analyze ... bra.io:0:0]
Let me know if you are able to obtain the A+, as per my previous comment, I'm not able to fix the TLS_FALLBACK_SCSV:
[View:https://community.zimbra.com/collaborat ... 586272:0:0]
Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by liverpoolfcfan »

I have gone through these steps a couple of times with zimbra 8.6 P2 and still cannot get better than a B rating.

This server supports weak Diffie-Hellman (DH) key exchange parameters. Grade capped to B. MORE INFO »

and

Uses common DH prime Yes Replace with custom DH parameters if possible (more info)

Any suggestions as to what could be wrong?

Thought: zimbra is running on a VM - Does openssl look at hardware signatures when generating the 2048 key? Could the common signature of VM emulated hardware be causing an issue?
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

Hi,

Are you running Proxy or not? I will test the steps using 8.5P2. What steps did you follow? I assume the steps for your environment with or without proxy.



Best regards!
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by liverpoolfcfan »

My hppts template files all contain the line



ssl_protocols ${web.ssl.protocols};



Where does web.ssl.protocols get set?



This is a system that has been upgraded from 6.0.4 -> almost every version up to -> 7.2.6 -> 8.5 using AJCody notes -> 8.5.1 -> 8.6 -> 8.6 P1 -> 8.6 P2
User avatar
jorgedlcruz
Zimbra Alumni
Zimbra Alumni
Posts: 2782
Joined: Thu May 22, 2014 4:47 pm

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by jorgedlcruz »

So you are running 8.6P2? Not 8.5 P2? And proxy o without proxy? I guess proxy



Best regards
Jorge de la Cruz https://jorgedelacruz.es
Systems Engineer at Veeam Software https://www.veeam.com/
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

How to obtain an A+ in the Qualys SSL Labs Security Test - Open Wiki

Post by liverpoolfcfan »

Yes. Sorry, I have just edited my previous post. It is 8.6 P2 with proxy. Can you tell me where the web.ssl.protocols value gets set?
Post Reply