Enable TLS1.3: Difference between revisions
(Created page with "== Enabling TLS 1.3 == The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore. === Execute the following st...") |
|||
(4 intermediate revisions by one other user not shown) | |||
Line 1: | Line 1: | ||
{{WIP}} | |||
== Enabling TLS 1.3 == | == Enabling TLS 1.3 == | ||
Line 9: | Line 11: | ||
* View the existing '''zimbraReverseProxySSLProtocols''': | * View the existing '''zimbraReverseProxySSLProtocols''': | ||
zmprov gcf zimbraReverseProxySSLProtocols | $ zmprov gcf zimbraReverseProxySSLProtocols | ||
zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2 | zimbraReverseProxySSLProtocols: TLSv1 | ||
zimbraReverseProxySSLProtocols: TLSv1.1 | |||
zimbraReverseProxySSLProtocols: TLSv1.2 | |||
* Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''. | * Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''. | ||
zmprov mcf zimbraReverseProxySSLProtocols | $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 | ||
* Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''. | * Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''. | ||
zmprov gcf zimbraReverseProxySSLProtocols | $ zmprov gcf zimbraReverseProxySSLProtocols | ||
zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 | zimbraReverseProxySSLProtocols: TLSv1 | ||
zimbraReverseProxySSLProtocols: TLSv1.1 | |||
zimbraReverseProxySSLProtocols: TLSv1.2 | |||
zimbraReverseProxySSLProtocols: TLSv1.3 | |||
* View existing cipher's in '''zimbraReverseProxySSLCiphers'''. | * View existing cipher's in '''zimbraReverseProxySSLCiphers'''. | ||
zmprov gcf zimbraReverseProxySSLCiphers | $ zmprov gcf zimbraReverseProxySSLCiphers | ||
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 | zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 | ||
* Add TLSv1.3 cipher <code>TLS_AES_256_GCM_SHA384</code> to existing '''zimbraReverseProxySSLCiphers'''. | * Add TLSv1.3 cipher <code>TLS_AES_256_GCM_SHA384</code> to existing '''zimbraReverseProxySSLCiphers'''. | ||
zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' | $ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' | ||
* Restart Zimbra Proxy service: | * Restart Zimbra Proxy service: | ||
zmproxyctl restart | $ zmproxyctl restart | ||
=== Execute the following steps on Zimbra Mailstore === | === Execute the following steps on Zimbra Mailstore === | ||
Line 34: | Line 41: | ||
* Get your current <code>mailboxd_java_options</code>: | * Get your current <code>mailboxd_java_options</code>: | ||
zmlocalconfig mailboxd_java_options | $ zmlocalconfig mailboxd_java_options | ||
mailboxd_java_options= | mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true | ||
Add the TLSv1.3 to <code>https.protocols</code> and <code>tls.client.protocols</code>: | Add the TLSv1.3 to <code>https.protocols</code> and <code>tls.client.protocols</code>: | ||
zmlocalconfig -e mailboxd_java_options= | $ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true' | ||
* Restart Zimbra Mailbox service: | * Restart Zimbra Mailbox service: | ||
zmmailboxdctl restart | $ zmmailboxdctl restart |
Revision as of 23:47, 6 April 2021
- This article is a Work in Progress, and may be unfinished or missing sections.
Enabling TLS 1.3
The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.
Execute the following steps on Zimbra Proxy (Nginx)
Execute these commands as zimbra
user
- View the existing zimbraReverseProxySSLProtocols:
$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2
- Add TLSv1.3 to existing zimbraReverseProxySSLProtocols.
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
- Verify TLSv1.3 is added to zimbraReverseProxySSLProtocols.
$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2 zimbraReverseProxySSLProtocols: TLSv1.3
- View existing cipher's in zimbraReverseProxySSLCiphers.
$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
- Add TLSv1.3 cipher
TLS_AES_256_GCM_SHA384
to existing zimbraReverseProxySSLCiphers.
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
- Restart Zimbra Proxy service:
$ zmproxyctl restart
Execute the following steps on Zimbra Mailstore
Execute these commands as zimbra
user
- Get your current
mailboxd_java_options
:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true
Add the TLSv1.3 to https.protocols
and tls.client.protocols
:
$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'
- Restart Zimbra Mailbox service:
$ zmmailboxdctl restart