Difference between revisions of "How to disable TLSv1"

(Created page with "=How to disable TLSv1= {{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}||}} {{WIP}} ==Problem== The purpose of this article is to show how to disable TLSv1 on Zimbra server. ==Resolu...")
 
(How to disable TLSv1)
 
(2 intermediate revisions by one other user not shown)
Line 15: Line 15:
 
1. Disable TLSv1 for proxy server/s:
 
1. Disable TLSv1 for proxy server/s:
 
  $ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
 
  $ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
 +
$ zmproxyctl restart
  
  
 
2. Disable TLSv1 in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
 
2. Disable TLSv1 in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
 
  $ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1  
 
  $ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1  
 +
$ zmmailboxdctl restart
  
  
Line 26: Line 28:
 
  $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
 
  $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
 
  $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
 
  $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
 +
$ zmmtactl restart
  
  
 
These same commands can be used to disable also TLSv1.1 if needed.  
 
These same commands can be used to disable also TLSv1.1 if needed.  
 +
 +
As an option, use nmap to check what protocols are active.<br>
 +
<code><pre>
 +
nmap --script ssl-enum-ciphers -p 443 proxy.example.com
 +
</pre></code>
 +
 +
 +
  
  
 
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12| 15/05/2019}}
 
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12| 15/05/2019}}
 
{{NeedSME|SME1|SME2|COPY EDITOR}}
 
{{NeedSME|SME1|SME2|COPY EDITOR}}

Latest revision as of 15:00, 31 March 2021

How to disable TLSv1

   KB 23852        Last updated on 2021-03-31  




0.00
(0 votes)


Problem

The purpose of this article is to show how to disable TLSv1 on Zimbra server.


Resolution

There are couple of components for which we can disable TLSv1:

1. Disable TLSv1 for proxy server/s:

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
$ zmproxyctl restart


2. Disable TLSv1 in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

$ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1 
$ zmmailboxdctl restart


3. Disable TLSv1 for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1' 
$ zmmtactl restart


These same commands can be used to disable also TLSv1.1 if needed.

As an option, use nmap to check what protocols are active.

nmap --script ssl-enum-ciphers -p 443 proxy.example.com



Verified Against: Zimbra Collaboration 8.8.11, 8.8.12 Date Created: 15/05/2019
Article ID: https://wiki.zimbra.com/index.php?title=How_to_disable_TLSv1 Date Modified: 2021-03-31



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by King0770
Jump to: navigation, search