The reliability of encryption is one of the most important indicators when using information systems for business, because every day they are involved in the transfer of a huge amount of confidential information. The generally accepted measure of the quality of an SSL connection is an independent test from Qualys SSL Labs. Since this test can be run by anyone, it is especially important for SaaS providers that the score in this test is the maximum. Not only SaaS providers care about the quality of the SSL connection, but also ordinary enterprises. For them, this test is an excellent opportunity to identify potential vulnerabilities and close all loopholes for cybercriminals in advance.
Zimbra OSE allows you to use two types of SSL certificates. The first is a self-signed certificate that is automatically added during installation. This certificate is free and has no time limit, which means it is ideal for testing Zimbra OSE or using it exclusively within the internal network. However, when logging into the web client, users will see a warning from the browser that the certificate is not trusted, and your server will definitely fail the test from Qualys SSL Labs.
The second is a commercial SSL certificate signed by a certification authority. Such certificates are easily accepted by browsers and are usually used in the commercial operation of Zimbra OSE. Immediately after the correct installation of the commercial certificate, Zimbra OSE 8.8.15 shows an A in the test from Qualys SSL Labs. This is an excellent result, but our goal is to achieve an A+ result.
In order to achieve the maximum score in the test from Qualys SSL Labs when using the Zimbra Collaboration Suite Open-Source Edition, you must complete a number of steps:
1. Increasing the parameters of the Diffie-Hellman protocol
By default, in all Zimbra OSE 8.8.15 components that use OpenSSL, the value of the Diffie-Hellman protocol parameters is 2048 bits. In principle, this is more than enough to get an A + rating in the test from Qualys SSL Labs. However, in the event that you are upgrading from older versions, the value of the parameters may be lower. Therefore, it is recommended that after the update is completed, execute the zmdhparam set -new 2048 command, which will increase the parameters of the Diffie-Hellman protocol to an acceptable 2048 bits, and if desired, using the same command, you can increase the parameter value to 3072 or 4096 bits, which, on the one hand, will increase generation time, but on the other hand, it will have a positive effect on the security level of the mail server.
2. Inclusion of the recommended list of used ciphers
By default, the Zimbra Collaborataion Suite Open-Source Edition supports a wide range of strong and weak ciphers that encrypt data passing over a secure connection. However, the use of weak ciphers is a serious disadvantage when checking the security of an SSL connection. In order to avoid this, you need to configure the list of used ciphers.
To do this, use the command zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
This command immediately includes a set of recommended ciphers and thanks to it, the command can immediately include strong ciphers in the list and exclude unreliable ones. Now all that remains is to restart the reverse proxy nodes using the zmproxyctl restart command. After the reboot, the changes will take effect.
In the event that this list does not suit you for one reason or another, you can remove a number of weak ciphers from it using the command zmprov mcf +zimbraSSLExcludeCipherSuites. So, for example, the command zmprov mcf +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_MD5 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_RC4_128_SHA +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_RC4_128_SHA, which will completely eliminate the use of RC4 ciphers. You can do the same with AES and 3DES ciphers.
3. Enable HSTS
The included mechanisms for forcing connection encryption and TLS session recovery are also prerequisites for obtaining the highest score in the test from Qualys SSL Labs. To enable them, enter the command zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000". This command will add the necessary header to the configuration, and for the new settings to take effect, you will have to restart Zimbra OSE using the command zmcontrol restart.
Already at this stage, the test from Qualys SSL Labs will demonstrate an A + rating, however, if you want to further improve the security of your server, there are a number of measures you can take.
For example, you can enable forced encryption of inter-process connections, as well as enable forced encryption when connecting to Zimbra OSE services. To check inter-process connections, enter the following commands:
zmlocalconfig -e ldap_starttls_supported=1
zmlocalconfig -e zimbra_require_interprocess_security=1
zmlocalconfig -e ldap_starttls_required=trueTo enable forced encryption, enter:
zmprov gs `zmhostname` zimbraReverseProxyMailMode
zmprov ms `zmhostname` zimbraReverseProxyMailMode https
zmprov gs `zmhostname` zimbraMailMode
zmprov ms `zmhostname` zimbraMailMode https
zmprov gs `zmhostname` zimbraReverseProxySSLToUpstreamEnabled
zmprov ms `zmhostname` zimbraReverseProxySSLToUpstreamEnabled TRUEThanks to these commands, all connections to proxy servers and mail servers will be encrypted, and all these connections will be proxyed.
Thus, following our recommendations, you can not only achieve the highest score in the SSL connection security test, but also significantly increase the security of the entire Zimbra OSE infrastructure.
For all questions related to Zextras Suite, you can contact the Representative of Zextras Ekaterina Triandafilidi by e-mail [email protected]
Source: habr.com