Difference between revisions of "Enable TLS1.3"

(Execute the following steps on Zimbra Mailstore)
(Replaced content with "{{WIP}} == Enabling TLS 1.3 == The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore. Please refer to...")
 
Line 5: Line 5:
 
The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.  
 
The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.  
  
=== Execute the following steps on Zimbra Proxy (Nginx) ===
+
Please refer to: https://wiki.zimbra.com/wiki/Cipher_suites
 
 
Execute these commands as <code>zimbra</code> user
 
 
 
* View the existing '''zimbraReverseProxySSLProtocols''':
 
 
 
$ zmprov gcf zimbraReverseProxySSLProtocols
 
zimbraReverseProxySSLProtocols: TLSv1
 
zimbraReverseProxySSLProtocols: TLSv1.1
 
zimbraReverseProxySSLProtocols: TLSv1.2
 
 
 
* Add TLSv1.3 to existing '''zimbraReverseProxySSLProtocols'''.
 
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
 
 
 
* Verify TLSv1.3 is added to '''zimbraReverseProxySSLProtocols'''.
 
$ zmprov gcf zimbraReverseProxySSLProtocols
 
zimbraReverseProxySSLProtocols: TLSv1
 
zimbraReverseProxySSLProtocols: TLSv1.1
 
zimbraReverseProxySSLProtocols: TLSv1.2
 
zimbraReverseProxySSLProtocols: TLSv1.3
 
 
 
* View existing cipher's in '''zimbraReverseProxySSLCiphers'''.
 
$ zmprov gcf zimbraReverseProxySSLCiphers
 
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
 
 
 
* Add TLSv1.3 cipher <code>TLS_AES_256_GCM_SHA384</code> to existing '''zimbraReverseProxySSLCiphers'''.
 
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
 
 
 
* Restart Zimbra Proxy service:
 
$ zmproxyctl restart
 
 
 
=== Execute the following steps on Zimbra Mailstore ===
 
 
 
Execute these commands as <code>zimbra</code> user
 
 
 
* Get your current <code>mailboxd_java_options</code>:
 
$ zmlocalconfig mailboxd_java_options
 
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true
 
 
 
Add the TLSv1.3 to <code>https.protocols</code> and <code>tls.client.protocols</code>:
 
$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'
 
 
 
* Restart Zimbra Mailbox service:
 
$ zmmailboxdctl restart
 

Latest revision as of 07:20, 4 September 2021


Enabling TLS 1.3

The administrator will have to execute separate steps for enabling TLS 1.3 on Zimbra Proxy (Nginx) and Zimbra Mailstore.

Please refer to: https://wiki.zimbra.com/wiki/Cipher_suites

Jump to: navigation, search