Setting up Zimbra for strong ciphers only

Tonight i was working on getting a client’s Zimbra SSL configuration up to scratch, and found it somewhat difficult to get our server to make Qualys’ SSL Labs scanner happy.  I was working from the following Zimbra wiki pages:

It seems that as of Zimbra 8 (possibly before that?) there is no longer any need to configure jetty – everything seems to go through nginx as an SSL reverse proxy.I tried several different combinations and still kept getting insecure ciphers in the Qualys scan results until i stumbled across this nginx forum post and these certificate installation instructions.  Between them i managed to glean that:

So the commands i ended up with for Zimbra were:zmprov modifyConfig zimbraReverseProxySSLCiphers '!ADH:!eNULL:!aNULL:!DHE-RSA-AES256-SHA:!SSLv2:!MD5:RC4:HIGH'zmmailboxdctl restartThis was enough to get us an “A” rating in Qualys’ eyes.


Source: libertysys.com.au