How to disable TLSv1: Difference between revisions
Line 1: | Line 1: | ||
=How to disable | =How to disable deprecated TLS versions and enable TLS 1.3= | ||
{{KB| | {{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}} | ||
{{WIP}} | {{WIP}} | ||
Line 6: | Line 6: | ||
==Problem== | ==Problem== | ||
The purpose of this article is to show how to disable | The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server. | ||
==Resolution== | ==Resolution== | ||
There are couple of components for which we can disable | There are couple of components for which we can disable TLS versions: | ||
1. Disable | 1. Disable deprecated TLS versions for proxy server/s: | ||
$ zmprov mcf | |||
# Overwrite the current configuration to allow only v1.2 | |||
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 | |||
# Add TLSv1.3 | |||
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 | |||
$ zmproxyctl restart | $ zmproxyctl restart | ||
2. Disable | 2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP) | ||
$ zmprov ms `zmhostname` | # Overwrite the current configuration to allow only v1.2 | ||
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2 | |||
# Add TLSv1.3 | |||
$ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3 | |||
$ zmmailboxdctl restart | $ zmmailboxdctl restart | ||
3. | 3. Allow only TLSv1.2 and more for ports 465, 587 and 25: | ||
$ zmprov mcf zimbraMtaSmtpTlsProtocols ' | |||
$ zmprov mcf zimbraMtaSmtpdTlsProtocols ' | $ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2' | ||
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols ' | $ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' | ||
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols ' | $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' | ||
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' | |||
$ zmmtactl restart | $ zmmtactl restart | ||
As an option, use nmap to check what protocols are active.<br> | As an option, use nmap to check what protocols are active.<br> | ||
Line 39: | Line 44: | ||
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12, 8.8.15, 9| 26/08/2022}} | |||
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12| | |||
{{NeedSME|SME1|SME2|COPY EDITOR}} | {{NeedSME|SME1|SME2|COPY EDITOR}} |
Revision as of 08:55, 26 August 2022
How to disable deprecated TLS versions and enable TLS 1.3
Problem
The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.
Resolution
There are couple of components for which we can disable TLS versions:
1. Disable deprecated TLS versions for proxy server/s:
# Overwrite the current configuration to allow only v1.2 $ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 # Add TLSv1.3 $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3 $ zmproxyctl restart
2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
# Overwrite the current configuration to allow only v1.2 $ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2 # Add TLSv1.3 $ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3 $ zmmailboxdctl restart
3. Allow only TLSv1.2 and more for ports 465, 587 and 25:
$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' $ zmmtactl restart
As an option, use nmap to check what protocols are active.
nmap --script ssl-enum-ciphers -p 443 proxy.example.com