How to disable TLSv1

KB 23852	Last updated on 2019-05-15	Last updated by Teodor Vizirov	5.00 (one vote)	Verified in: ZCS 8.8 ZCS 8.7
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

KB 23852	Last updated on 2019-05-15
5.00 (one vote)
- This is certified documentation and is protected for editing by Zimbra Employees & Moderators only.

Problem

The purpose of this article is to show how to disable TLSv1 on Zimbra server.

Resolution

There are couple of components for which we can disable TLSv1:

1. Disable TLSv1 for proxy server/s:

$ zmprov mcf -zimbraReverseProxySSLProtocols TLSv1

2. Disable TLSv1 in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

$ zmprov ms `zmhostname` -zimbraMailboxdSSLProtocols TLSv1 

3. Disable TLSv1 for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '!SSLv2,!SSLv3,!TLSv1'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '!SSLv2,!SSLv3,!TLSv1' 

These same commands can be used to disable also TLSv1.1 if needed.