Last few weeks I'm trying to improve the security of my Zimbra Collab server. I use open source edition. Release 8.7.2.GA.1736.UBUNTU14.64 UBUNTU14_64 FOSS edition but this is with the 8.7.3 release.
If I test with:
https://www.htbridge.com/ssl -- result is an F
https://www.ssllabs.com/ssltest -- result is an B
How do I get better security?
Weak DH encryption
Forward secrecy - WEAK
Uses common DH primes - I created new ones 3072
The server's Diffie-Hellman parameter is too small. (Non-compliant with NIST, HIPAA and PCI DSS)
The server supports elliptic curves that are considered weak. (Non-compliant with NIST, HIPAA and PCI DSS)
Also this article doesn't get me more secure.
https://wiki.zimbra.com/wiki/How_to_obt ... urity_Test
Disabling the weak ciphers can create problem with some applications I found on google. I didn't disable:
TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 (0x6b) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_CBC_SHA (0x39) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 (0x67) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_CBC_SHA (0x33) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) DH 1024 bits FS WEAK
TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (0x16) DH 1024 bits FS WEAK
Enable Strict Transport Security (HSTS) & Session resumption (caching)
zmprov mcf +zimbraResponseHeader "Strict-Transport-Security: max-age=31536000"
Result of test website is HSTS is not active....?
Also a set of guidelines:
Also I tried to improve the NGINX config files as indicated on several sites, incl Zimbra.
Please help and advice!
Discuss your pilot or production implementation with other Zimbra admins or our engineers.
1 post • Page 1 of 1
Who is online
Users browsing this forum: No registered users and 22 guests