Mengamankan zimbra 8.0.4 di mail2.abc.co.id dari serangan CCS Injection Vulnerability dan Poddle Attack

hasil cek di ssl labs:

sslv3-poodle-attack-

  1. CCS Injection Vulnerability
  2. Poddle Attack

solusi:

  1. set TLSv1 TLSv1.1 TLSv1.2 pada koneksi https.
  2. Disable weak cipher TLS termasuk SSLv3.
  3. Update / Patch OpenSSL.

Percobaan ini dilakukan di mail2.abc.co.id mengingat versi yang digunakan sama yaitu 8.0.4 dan mengingat pula server mail production tidak mungkin untuk dicoba-coba

install zm proxy via installer dari versi zimbra yang running. untuk mengetahui zimbra version cukup ketikan perintah zmcontrol -v ( as zimbra user) . lalu execute installer:

./install.sh

ikuti langkah dst:

Do you agree with the terms of the software license agreement? [N] Y

Do you agree with the terms of the software license agreement? [N] Y

Do you want to verify message store database integrity? [Y] N

Do you wish to upgrade? [Y] Y

Install zimbra-memcached [N] N
Install zimbra-proxy [N] Y

The system will be modified.  Continue? [N] Y

Notify Zimbra of your installation? [Yes] Yes
log full:
root@mail2:/home/dhuka/zcs-8.0.4_GA_5737.UBUNTU12_64.20130524120036# ./install.sh 
Operations logged to /tmp/install.log.8895
Checking for existing installation...
    zimbra-ldap...FOUND zimbra-ldap-8.0.4.GA.5737.UBUNTU12.64
    zimbra-logger...FOUND zimbra-logger-8.0.4.GA.5737.UBUNTU12.64
    zimbra-mta...FOUND zimbra-mta-8.0.4.GA.5737.UBUNTU12.64
    zimbra-snmp...FOUND zimbra-snmp-8.0.4.GA.5737.UBUNTU12.64
    zimbra-store...FOUND zimbra-store-8.0.4.GA.5737.UBUNTU12.64
    zimbra-apache...FOUND zimbra-apache-8.0.4.GA.5737.UBUNTU12.64
    zimbra-spell...FOUND zimbra-spell-8.0.4.GA.5737.UBUNTU12.64
    zimbra-convertd...NOT FOUND
    zimbra-memcached...NOT FOUND
    zimbra-proxy...NOT FOUND
    zimbra-archiving...NOT FOUND
    zimbra-cluster...NOT FOUND
    zimbra-core...FOUND zimbra-core-8.0.4.GA.5737.UBUNTU12.64
ZCS upgrade from 8.0.4 to 8.0.4 will be performed.
Saving existing configuration file to /opt/zimbra/.saveconfig

PLEASE READ THIS AGREEMENT CAREFULLY BEFORE USING THE SOFTWARE.
ZIMBRA, INC. ("ZIMBRA") WILL ONLY LICENSE THIS SOFTWARE TO YOU IF YOU
FIRST ACCEPT THE TERMS OF THIS AGREEMENT. BY DOWNLOADING OR INSTALLING
THE SOFTWARE, OR USING THE PRODUCT, YOU ARE CONSENTING TO BE BOUND BY
THIS AGREEMENT. IF YOU DO NOT AGREE TO ALL OF THE TERMS OF THIS
AGREEMENT, THEN DO NOT DOWNLOAD, INSTALL OR USE THE PRODUCT.
License Terms for the Zimbra Collaboration Suite:
  http://www.zimbra.com/license/zimbra_public_eula_2.1.html
Do you agree with the terms of the software license agreement? [N] Y

Oracle Binary Code License Agreement for the Java SE Platform Products
ORACLE  AMERICA, INC. ("ORACLE"), FOR AND ON BEHALF OF ITSELF AND ITS SUBSIDIARIES AND AFFILIATES UNDER COMMON CONTROL, IS WILLING TO  LICENSE  THE SOFTWARE  TO YOU ONLY UPON THE CONDITION THAT YOU ACCEPT ALL OF THE TERMS  CONTAINED IN THIS BINARY CODE LICENSE AGREEMENT AND SUPPLEMENTAL  LICENSE TERMS (COLLECTIVELY "AGREEMENT").  PLEASE READ THE AGREEMENT  CAREFULLY.  BY SELECTING THE "ACCEPT LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND/OR BY USING THE SOFTWARE YOU ACKNOWLEDGE THAT YOU HAVE READ THE TERMS AND AGREE TO THEM.  IF YOU ARE AGREEING TO THESE TERMS ON BEHALF OF A  COMPANY OR OTHER LEGAL ENTITY, YOU REPRESENT THAT YOU HAVE THE LEGAL  AUTHORITY TO BIND THE LEGAL ENTITY TO THESE TERMS.  IF YOU DO NOT HAVE SUCH  AUTHORITY, OR IF YOU DO NOT WISH TO BE BOUND BY THE TERMS, THEN SELECT THE "DECLINE LICENSE AGREEMENT" (OR THE EQUIVALENT) BUTTON AND YOU MUST NOT USE THE SOFTWARE ON THIS SITE OR ANY OTHER MEDIA ON WHICH THE SOFTWARE IS CONTAINED.
|
--8<--SNIP--
|
Redwood Shores, California 94065, USA.
Last updated May 17, 2011

Do you agree with the terms of the software license agreement? [N] Y
Checking for prerequisites...
     FOUND: NPTL
     FOUND: netcat-openbsd-1.89-4ubuntu1
     FOUND: sudo-1.8.3p1-1ubuntu3.3
     FOUND: libidn11-1.23-2
     FOUND: libpcre3-8.12-4
     FOUND: libgmp3c2-2:4.3.2+dfsg-2ubuntu1
     FOUND: libexpat1-2.0.1-7.2ubuntu1.1
     FOUND: libstdc++6-4.6.3-1ubuntu5
     FOUND: libperl5.14-5.14.2-6ubuntu2.2
Checking for suggested prerequisites...
     FOUND: pax
     FOUND: perl-5.14.2
     FOUND: sysstat
     FOUND: sqlite3
Prerequisite check complete.
Checking current number of databases...
Do you want to verify message store database integrity? [Y] N
Checking for installable packages
Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy

The Zimbra Collaboration Server appears already to be installed.
It can be upgraded with no effect on existing accounts,
or the current installation can be completely removed prior
to installation for a clean install.
Do you wish to upgrade? [Y] Y
Select the packages to install
    Upgrading zimbra-core
    Upgrading zimbra-ldap
    Upgrading zimbra-logger
    Upgrading zimbra-mta
    Upgrading zimbra-snmp
    Upgrading zimbra-store
    Upgrading zimbra-apache
    Upgrading zimbra-spell
Install zimbra-memcached [N] N
Install zimbra-proxy [N] Y
Checking required space for zimbra-core
Checking space for zimbra-store
Installing:
    zimbra-core
    zimbra-ldap
    zimbra-logger
    zimbra-mta
    zimbra-snmp
    zimbra-store
    zimbra-apache
    zimbra-spell
    zimbra-proxy
The system will be modified.  Continue? [N] Y
Shutting down zimbra mail
Backing up the ldap database...done.
Removing existing packages
   zimbra-ldap...done
   zimbra-logger...done
   zimbra-mta...done
   zimbra-snmp...done
   zimbra-store...done
   zimbra-spell...done
   zimbra-apache...done
   zimbra-core...done
Removing deployed webapp directories
Installing packages
    zimbra-core......zimbra-core_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-ldap......zimbra-ldap_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-logger......zimbra-logger_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-mta......zimbra-mta_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-snmp......zimbra-snmp_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-store......zimbra-store_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-apache......zimbra-apache_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-spell......zimbra-spell_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
    zimbra-proxy......zimbra-proxy_8.0.4.GA.5737.UBUNTU12.64_amd64.deb...done
Setting defaults from saved config in /opt/zimbra/.saveconfig/config.save
   HOSTNAME=mail2.abc.co.id
   LDAPHOST=mail2.abc.co.id
   LDAPPORT=389
   SNMPTRAPHOST=mail2.abc.co.id
   SMTPSOURCE=admin@mail2.abc.co.id
   SMTPDEST=admin@mail2.abc.co.id
   SNMPNOTIFY=yes
   SMTPNOTIFY=yes
   LDAPROOTPW=GLcHa6eCA
   LDAPZIMBRAPW=GLcHa6eCA
   LDAPPOSTPW=GLcHa6eCA
   LDAPREPPW=GLcHa6eCA
   LDAPAMAVISPW=GLcHa6eCA
   LDAPNGINXPW=GLcHa6eCA
Restoring existing configuration file from /opt/zimbra/.saveconfig/localconfig.xml...done
Operations logged to /tmp/zmsetup.04072015-090607.log
Running zmldapapplyldif...done.
Checking ldap status....not running.
Starting ldap...done.
Setting defaults...done.
Setting defaults from existing config...done.
Checking for port conflicts
Setting defaults from ldap...done.
Saving config in /opt/zimbra/config.3638...done.
Operations logged to /tmp/zmsetup.04072015-090607.log
Setting local config values...done.
Initializing core config...Setting up CA...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Setting nginx password...done.
Creating server entry for mail2.abc.co.id...already exists.
Setting Zimbra IP Mode...done.
Saving CA in ldap ...done.
Saving SSL Certificate in ldap ...done.
Setting service ports on mail2.abc.co.id...done.
Adding mail2.abc.co.id to zimbraMailHostPool in default COS...done.
Setting Keyboard Shortcut Preferences...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=FALSE...done.
Setting MTA auth host...done.
Setting TimeZone Preference...done.
Initializing mta config...done.
Setting services on mail2.abc.co.id...done.
Creating user spam.lacztdgpp@mail2.abc.co.id...already exists.
Creating user ham.whtwh7nnri@mail2.abc.co.id...already exists.
Creating user virus-quarantine.yldr5t3vht@mail2.abc.co.id...already exists.
Setting spam training and Anti-virus quarantine accounts...done.
Configuring SNMP...done.
Setting up syslog.conf...done.
Starting servers...done.
Checking for deprecated zimlets...done.
Checking for network zimlets in LDAP...done.
Removing network zimlets...
Finished removing network zimlets.
Installing common zimlets...
    com_zimbra_srchhighlighter...done.
    com_zimbra_url...done.
    com_zimbra_webex...done.
    com_zimbra_email...done.
    com_zimbra_date...done.
    com_zimbra_attachmail...done.
    com_zimbra_viewmail...done.
    com_zimbra_bulkprovision...done.
    com_zimbra_proxy_config...done.
    com_zimbra_tooltip...done.
    com_zimbra_clientuploader...done.
    com_zimbra_ymemoticons...done.
    com_zimbra_attachcontacts...done.
    com_zimbra_adminversioncheck...done.
    com_zimbra_phone...done.
    com_zimbra_cert_manager...done.
Finished installing common zimlets.
Getting list of all zimlets...done.
Updating non-standard zimlets...
Finished updating non-standard zimlets.
Restarting mailboxd...done.
Skipping creation of default domain GAL sync account - existing install detected.
You have the option of notifying Zimbra of your installation.
This helps us to track the uptake of the Zimbra Collaboration Server.
The only information that will be transmitted is:
    The VERSION of zcs installed (8.0.4_GA_5737_UBUNTU12_64)
    The ADMIN EMAIL ADDRESS created (admin@abc.co.id)
Notify Zimbra of your installation? [Yes] Yes
Notifying Zimbra of installation via http://www.zimbra.com/cgi-bin/notify.cgi?VER=8.0.4_GA_5737_UBUNTU12_64&MAIL=admin@abc.co.id
Notification complete
Setting up zimbra crontab...done.

Moving /tmp/zmsetup.04072015-090607.log to /opt/zimbra/log

Configuration complete - press return to exit

You have new mail in /var/mail/root
root@mail2:/home/dhuka/zcs-8.0.4_GA_5737.UBUNTU12_64.20130524120036#

lalu cek status zimbra proxy:

root@mail2:/home/dhuka/zcs-8.0.4_GA_5737.UBUNTU12_64.20130524120036# su - zimbra
zimbra@mail2:~$ zmcontrol status
Host mail2.abc.co.id
    antispam                Running
    antivirus               Running
    ldap                    Running
    logger                  Running
    mailbox                 Running
    mta                     Running
    opendkim                Running
    proxy                   Running
    snmp                    Running
    stats                   Running
    zmconfigd               Running
zimbra@mail2:~$

Karena port proxy akan diset untuk menggantikan yang existing, maka port existing harus diset berbeda untuk menghindari konflik.

zimbra@mail2:~$ zmprov ms `zmhostname` \                                                 
> zimbraImapBindPort 6143 \
> zimbraImapSSLBindPort 6993 \
> zimbraPop3BindPort 6110 \
> zimbraPop3SSLBindPort 6995 \
> zimbraMailSSLPort 6443 \
> zimbraMailPort 680
coba cek, apakah sudah diset sama dengan diatas:

zimbra@mail2:~$ zmprov -l gs `zmhostname` | grep -i port
zimbraAdminImapImportNumThreads: 20
zimbraAdminPort: 7071
zimbraAdminProxyPort: 9071
zimbraBackupReportEmailSubjectPrefix: ZCS Backup Report
zimbraImapBindPort: 6143
zimbraImapProxyBindPort: 7143
zimbraImapSSLBindPort: 6993
zimbraImapSSLProxyBindPort: 7993
zimbraLmtpBindPort: 7025
zimbraMailPort: 680
zimbraMailProxyPort: 8080
zimbraMailSSLClientCertPort: 9443
zimbraMailSSLPort: 6443
zimbraMailSSLProxyClientCertPort: 3443
zimbraMailSSLProxyPort: 8443
zimbraMemcachedBindPort: 11211
zimbraMessageChannelPort: 7285
zimbraMilterBindPort: 7026
zimbraNotifyBindPort: 7035
zimbraNotifySSLBindPort: 7036
zimbraPop3BindPort: 6110
zimbraPop3ProxyBindPort: 7110
zimbraPop3SSLBindPort: 6995
zimbraPop3SSLProxyBindPort: 7995
zimbraRemoteManagementPort: 22
zimbraSmtpPort: 25
jika sudah, lalu restart zmcontrol:
zimbra@mail2:~$ zmcontrol restart
Host mail2.abc.co.id
    Stopping vmware-ha...Done.
    Stopping zmconfigd...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping opendkim...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping proxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
Host mail2.abc.co.id
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting proxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting opendkim...Done.
    Starting snmp...Done.
    Starting mta...Done.
    Starting stats...Done.
zimbra@mail2:~$

lalu set port yang benar dan restart zimbra:

zimbra@mail2:~$ zmprov ms `zmhostname` \
> zimbraImapBindPort 7143 \
> zimbraImapProxyBindPort 143 \
> zimbraImapSSLBindPort 7993 \
> zimbraImapSSLProxyBindPort 993 \
> zimbraPop3BindPort 7110 \
> zimbraPop3ProxyBindPort 110 \
> zimbraPop3SSLBindPort 7995 \
> zimbraPop3SSLProxyBindPort 995 \
> zimbraMailSSLPort 7443 \
> zimbraMailSSLProxyPort 443 \
> zimbraReverseProxyHttpEnabled TRUE \
> zimbraMailProxyPort 80 \
> zimbraMailPort 8080 \
> zimbraMailMode https \
> zimbraReverseProxyMailMode https \
> zimbraReverseProxySSLToUpstreamEnabled TRUE
You have new mail in /var/mail/zimbra
zimbra@mail2:~$ zmcontrol restart
Host mail2.abc.co.id
    Stopping vmware-ha...Done.
    Stopping zmconfigd...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping opendkim...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping proxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
Host mail2.abc.co.id
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting proxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting opendkim...Done.
    Starting snmp...Done.
    Starting mta...Done.
    Starting stats...Done.
zimbra@mail2:~$

Setting SSL Config

zimbra@mail2:~$ zmprov mcf zimbraReverseProxySSLCiphers 'EECDH:EDH:SHA256:SHA384:!RC4:HIGH:!aNULL:!MD5:!kEDH:!AD:!SSLv2:!NULL:!3DES'

edit file-file berikut yang ada di /opt/zimbra/conf/nginx/templates/ . pastikan dibackup terlebih dahulu.

nginx.conf.mail.imaps.default.template
nginx.conf.mail.imaps.template
nginx.conf.mail.imap.default.template (for starttls)
nginx.conf.mail.imap.template (for starttls)
nginx.conf.mail.pop3s.default.template
nginx.conf.mail.pop3s.template
nginx.conf.mail.pop3.default.template (for starttls)
nginx.conf.mail.pop3.template (for starttls)
nginx.conf.mail.template
nginx.conf.web.admin.default.template
nginx.conf.web.admin.template
nginx.conf.web.https.default.template
nginx.conf.web.https.template
nginx.conf.web.sso.default.template
nginx.conf.web.sso.template

tambahkan setiap blok ssl dari setiap file diatas dengan opsi dibawah ini:

ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

misal awal blok ssl seperti ini:

 ssl                     on;
 ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
 ssl_ciphers             ${web.ssl.ciphers};
 ssl_certificate         ${ssl.crt.default};
 ssl_certificate_key     ${ssl.key.default};

akan menjadi seperti:

 ssl                     on;
 ssl_prefer_server_ciphers ${web.ssl.preferserverciphers};
 ssl_ciphers             ${web.ssl.ciphers};
 ssl_certificate         ${ssl.crt.default};
 ssl_certificate_key     ${ssl.key.default};
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

khusus untuk file nginx.conf.web.https.default.template dan nginx.conf.web.https.template tambahkan seperti dibawah ini:

ssl on; 
ssl_prefer_server_ciphers ${web.ssl.preferserverciphers}; 
# Add extra items for A+ rating 
ssl_protocols TLSv1 TLSv1.1 TLSv1.2; 
add_header Strict-Transport-Security max-age=15768000; 
ssl_ciphers ${web.ssl.ciphers};

lalu restart zmproxy:

zmproxyctl restart
  1. Disable Weak SSL/TLS Cipher mailbox

jalankan command dibawah ini:

zimbra@mail2:~$ zmprov mcf +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA \
 +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA  \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites DHE-RSA-AES256-SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_DES_CBC_SHA  \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_RC4_40_MD5 \
 +zimbraSSLExcludeCipherSuites SSL_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_DSS_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_EXPORT_WITH_DES40_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_DES_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 \
 +zimbraSSLExcludeCipherSuites TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA \
 +zimbraSSLExcludeCipherSuites TLS_RSA_WITH_AES_256_CBC_SHA256 
zimbra@mail2:~$ zmproxyctl restart
Stopping nginx...done.
Starting nginx...done.
You have new mail in /var/mail/zimbra
zimbra@mail2:~$

lalu restart mailbox:

zimbra@mail2:~$ zmmailboxdctl restart
Stopping mailboxd...done.
Starting mailboxd...done.
zimbra@mail2:~$
  1. Patching OpenSSL

pindah directory ke /tmp/ lalu download file "http://files.zimbra.com/downloads/security/zmopenssl-updater.sh"

root@mail2:/opt/zimbra/conf/nginx/templates# cd /tmp/
root@mail2:/tmp# wget -c "http://files.zimbra.com/downloads/security/zmopenssl-updater.sh"
--2015-04-07 12:58:22--  http://files.zimbra.com/downloads/security/zmopenssl-updater.sh
Resolving files.zimbra.com (files.zimbra.com)... 54.230.159.200
Connecting to files.zimbra.com (files.zimbra.com)|54.230.159.200|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://files.zimbra.com/downloads/security/zmopenssl-updater.sh [following]
--2015-04-07 12:58:26--  https://files.zimbra.com/downloads/security/zmopenssl-updater.sh
Connecting to files.zimbra.com (files.zimbra.com)|54.230.159.200|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 2788 (2.7K) [application/x-unknown-content-type]
Saving to: `zmopenssl-updater.sh'
100%[==============================================================================================================================>] 2,788       --.-K/s   in 0s      
2015-04-07 12:58:31 (697 MB/s) - `zmopenssl-updater.sh' saved [2788/2788]

beri permission lalu eksekusi:
root@mail2:/tmp# chmod a+rx zmopenssl-updater.sh
root@mail2:/tmp# ./zmopenssl-updater.sh 
Downloading patched openssl
Validating patched openssl: success
Backing up old openssl: complete
Installing patched openssl: complete
OpenSSL patch process complete.
Please restart Zimbra Collaboration Suite as the Zimbra user via zmcontrol restart
root@mail2:/tmp#

restart zimbra dengan zmcontrol lalu check versi openssl:

zimbra@mail2:~$ zmcontrol restart
Host mail2.abc.co.id
    Stopping vmware-ha...Done.
    Stopping zmconfigd...Done.
    Stopping stats...Done.
    Stopping mta...Done.
    Stopping spell...Done.
    Stopping snmp...Done.
    Stopping cbpolicyd...Done.
    Stopping archiving...Done.
    Stopping opendkim...Done.
    Stopping antivirus...Done.
    Stopping antispam...Done.
    Stopping proxy...Done.
    Stopping memcached...Done.
    Stopping mailbox...Done.
    Stopping logger...Done.
    Stopping ldap...Done.
Host mail2.abc.co.id
    Starting ldap...Done.
    Starting zmconfigd...Done.
    Starting logger...Done.
    Starting mailbox...Done.
    Starting proxy...Done.
    Starting antispam...Done.
    Starting antivirus...Done.
    Starting opendkim...Done.
    Starting snmp...Done.
    Starting mta...Done.
    Starting stats...Done.
zimbra@mail2:~$ openssl version
OpenSSL 1.0.1h 5 Jun 2014
You have new mail in /var/mail/zimbra
zimbra@mail2:~$

Testing untuk testing:

root@mail2:/opt/zimbra/conf/nginx/templates# openssl s_time -connect localhost:443 -new -cipher AES256-SHA
Collecting connection statistics for 30 seconds
ERROR
140543357974176:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1247:SSL alert number 40
root@mail2:/opt/zimbra/conf/nginx/templates#

dengan for loop

zimbra@mail2:~$ for p in 993 995 443 ; do echo Port $p ; timeout 3 openssl s_client -connect `zmhostname`:$p -ssl3 |grep failure ; done
Port 993
140567794857632:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140567794857632:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
Port 995
140486668211872:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140486668211872:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
Port 443
140321034884768:error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure:s3_pkt.c:1275:SSL alert number 40
140321034884768:error:1409E0E5:SSL routines:SSL3_WRITE_BYTES:ssl handshake failure:s3_pkt.c:598:
You have new mail in /var/mail/zimbra

atau bisa via ssl labs

gradessl

selesai

ref: 1. http://blog.capitar.com/getting-a-better-zimbra-ssl-labs-rating/ 2. https://wiki.zimbra.com/wiki/How_to_disable_SSLv3 3. http://wiki.zimbra.com/wiki/ShanxT-Removing-Insecure-SSL-Ciphers 4. http://forums.zimbra.com/announcements/73677-20140606-zimbra-security-advisory-cve-2014-0224-ccs-injection-vulnerability.html