How to disable TLSv1: Difference between revisions

Line 1: Line 1:
=How to disable TLSv1=
=How to disable deprecated TLS versions and enable TLS 1.3=
{{KB|{{ZC}}|{{ZCS 8.8}}|{{ZCS 8.7}}||}}
{{KB||{{ZCS 9.0}}|{{ZCS 8.8}}|}}
{{WIP}}
{{WIP}}


Line 6: Line 6:
==Problem==
==Problem==


The purpose of this article is to show how to disable TLSv1 on Zimbra server.  
The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.  




==Resolution==
==Resolution==


There are couple of components for which we can disable TLSv1:
There are couple of components for which we can disable TLS versions:


1. Disable TLSv1 for proxy server/s:
1. Disable deprecated TLS versions for proxy server/s:
  $ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1
 
# Overwrite the current configuration to allow only v1.2
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# Add TLSv1.3
  $ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
  $ zmproxyctl restart
  $ zmproxyctl restart




2. Disable TLSv1 in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)
  $ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1  
# Overwrite the current configuration to allow only v1.2
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2
# Add TLSv1.3
  $ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3
  $ zmmailboxdctl restart
  $ zmmailboxdctl restart




3. Disable TLSv1 for ports 465, 587 and 25:
3. Allow only TLSv1.2 and more for ports 465, 587 and 25:
  $ zmprov mcf zimbraMtaSmtpTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
 
  $ zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
  $ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2'
  $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
  $ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
  $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1'  
  $ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2'  
  $ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2'  
  $ zmmtactl restart
  $ zmmtactl restart
These same commands can be used to disable also TLSv1.1 if needed.


As an option, use nmap to check what protocols are active.<br>
As an option, use nmap to check what protocols are active.<br>
Line 39: Line 44:




 
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12, 8.8.15, 9| 26/08/2022}}
 
 
{{Article Footer|Zimbra Collaboration 8.8.11, 8.8.12| 15/05/2019}}
{{NeedSME|SME1|SME2|COPY EDITOR}}
{{NeedSME|SME1|SME2|COPY EDITOR}}

Revision as of 08:55, 26 August 2022

How to disable deprecated TLS versions and enable TLS 1.3

   KB 23852        Last updated on 2022-08-26  




5.00
(one vote)


Problem

The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.


Resolution

There are couple of components for which we can disable TLS versions:

1. Disable deprecated TLS versions for proxy server/s:

# Overwrite the current configuration to allow only v1.2
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
$ zmproxyctl restart


2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

# Overwrite the current configuration to allow only v1.2
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3
$ zmmailboxdctl restart


3. Allow only TLSv1.2 and more for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' 
$ zmmtactl restart

As an option, use nmap to check what protocols are active.

nmap --script ssl-enum-ciphers -p 443 proxy.example.com


Verified Against: Zimbra Collaboration 8.8.11, 8.8.12, 8.8.15, 9 Date Created: 26/08/2022
Article ID: https://wiki.zimbra.com/index.php?title=How_to_disable_TLSv1 Date Modified: 2022-08-26



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Zeiko2
Jump to: navigation, search