Enable TLS1.3: Difference between revisions
No edit summary |
No edit summary |
||
Line 12: | Line 12: | ||
$ zmprov gcf zimbraReverseProxySSLProtocols | $ zmprov gcf zimbraReverseProxySSLProtocols | ||
zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2 | zimbraReverseProxySSLProtocols: TLSv1 | ||
zimbraReverseProxySSLProtocols: TLSv1.1 | |||
zimbraReverseProxySSLProtocols: TLSv1.2 | |||
* Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''. | * Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''. | ||
$ zmprov mcf zimbraReverseProxySSLProtocols | $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 | ||
* Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''. | * Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''. | ||
$ zmprov gcf zimbraReverseProxySSLProtocols | $ zmprov gcf zimbraReverseProxySSLProtocols | ||
zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2 TLSv1.3 | zimbraReverseProxySSLProtocols: TLSv1 | ||
zimbraReverseProxySSLProtocols: TLSv1.1 | |||
zimbraReverseProxySSLProtocols: TLSv1.2 | |||
zimbraReverseProxySSLProtocols: TLSv1.3 | |||
* View existing cipher's in '''zimbraReverseProxySSLCiphers'''. | * View existing cipher's in '''zimbraReverseProxySSLCiphers'''. |
Revision as of 07:11, 5 April 2021
- This article is a Work in Progress, and may be unfinished or missing sections.
Enabling TLS 1.3
The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.
Execute the following steps on Zimbra Proxy (Nginx)
Execute these commands as zimbra
user
- View the existing zimbraReverseProxySSLProtocols:
$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2
- Add TLSv1.3 to existing zimbraReverseProxySSLProtocols.
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
- Verify TLSv1.3 is added to zimbraReverseProxySSLProtocols.
$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 zimbraReverseProxySSLProtocols: TLSv1.1 zimbraReverseProxySSLProtocols: TLSv1.2 zimbraReverseProxySSLProtocols: TLSv1.3
- View existing cipher's in zimbraReverseProxySSLCiphers.
$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
- Add TLSv1.3 cipher
TLS_AES_256_GCM_SHA384
to existing zimbraReverseProxySSLCiphers.
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
- Restart Zimbra Proxy service:
$ zmproxyctl restart
Execute the following steps on Zimbra Mailstore
Execute these commands as zimbra
user
- Get your current
mailboxd_java_options
:
$ zmlocalconfig mailboxd_java_options mailboxd_java_options="-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl,handshake,data"
Add the TLSv1.3 to https.protocols
and tls.client.protocols
:
$ zmlocalconfig -e mailboxd_java_options="-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl,handshake,data"
- Restart Zimbra Mailbox service:
$ zmmailboxdctl restart