How to disable TLSv1

How to disable deprecated TLS versions and enable TLS 1.3

   KB 23852        Last updated on 2022-11-15  




5.00
(one vote)


Problem

The purpose of this article is to show how to disable deprecated TLS versions on Zimbra server.


Resolution

There are couple of components for which we can disable TLS versions:

1. Disable deprecated TLS versions for proxy server/s:

# Overwrite the current configuration to allow only v1.2
$ zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
$ zmproxyctl restart


2. Disable deprecated TLS versions in Jetty for HTTPS, IMAPS, POP3S, and STARTTLS (including LMTP)

# Overwrite the current configuration to allow only v1.2
$ zmprov ms `zmhostname` zimbraMailboxdSSLProtocols TLSv1.2
# Add TLSv1.3
$ zmprov ms `zmhostname` +zimbraMailboxdSSLProtocols TLSv1.3

Get current mailboxd_java_options:

$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'

Add the TLSv1.3 and remove TLSv1.0, TLSv1.1 to https.protocols and tls.client.protocols:

$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true'

Restart mailbox services

$ zmmailboxdctl restart

3. Allow only TLSv1.2 and more for ports 465, 587 and 25:

$ zmprov mcf zimbraMtaSmtpTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpdTlsProtocols '>=TLSv1.2'
$ zmprov mcf zimbraMtaSmtpTlsMandatoryProtocols '>=TLSv1.2' 
$ zmprov mcf zimbraMtaSmtpdTlsMandatoryProtocols '>=TLSv1.2' 
$ zmmtactl restart

As an option, use nmap to check what protocols are active.

nmap --script ssl-enum-ciphers -p 443 proxy.example.com


Verified Against: Zimbra Collaboration 8.8.15, 9 Date Created: 26/08/2022
Article ID: https://wiki.zimbra.com/index.php?title=How_to_disable_TLSv1 Date Modified: 2022-11-15



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Rnoti
Jump to: navigation, search