Tonight i was working on getting a client's Zimbra SSL configuration up to scratch, and found it somewhat difficult to get our server to make Qualys' SSL Labs scanner happy. I was working from the following Zimbra wiki pages:
It seems that as of Zimbra 8 (possibly before that?) there is no longer any need to configure jetty - everything seems to go through nginx as an SSL reverse proxy.I tried several different combinations and still kept getting insecure ciphers in the Qualys scan results until i stumbled across this nginx forum post and these certificate installation instructions. Between them i managed to glean that:
- !aNULL is necessary to disable unauthenticated ciphers like TLS_DH_anon_WITH_AES_128_CBC_SHA and TLS_ECDH_anon_WITH_RC4_128_SHA (the latter is particularly infrequent in Google's search results).
- !eNULL is necessary to disable null encryption
- RC4 needs to be preferred over the other HIGH ciphers in order to mitigate the Beast attack (more at Qualys' page about it - although note their update about the status of RC4)
So the commands i ended up with for Zimbra were:zmprov modifyConfig zimbraReverseProxySSLCiphers '!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:RC4:HIGH'zmmailboxdctl restartThis was enough to get us an "A" rating in Qualys' eyes.