Nginx PackageUpgrade

Nginx TLS 1.3 Beta release


NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

Package Installation

This document will guide you to upgrade Nginx TLS 1.3 Beta Package

NOTE : For users who don't have previous beta packages, they would need to install that first. Please refer to the wiki for instructions on installing the packages on the systems.

Configure the yum repository on RedHat/CentOS system

You must add your local repository to your RHEL/CentOS Configuration :

8.8.15

Execute these commands as root

  • RHEL 6
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository
baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel6
gpgcheck=1
enabled=1
EOF
  • RHEL 7
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository 
baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel7
gpgcheck=1
enabled=1
EOF
  • RHEL 8
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository
baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel8
gpgcheck=1
enabled=1
EOF

9.0.0

Execute these commands as root

  • RHEL/CentOS 6
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository
baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel6
gpgcheck=1
enabled=1
EOF
  • RHEL/CentOS 7
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository
baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel7
gpgcheck=1
enabled=1
EOF
  • RHEL/CentOS 8
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF
[zimbra]
name=Zimbra RPM Repository
baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel8
gpgcheck=1
enabled=1
EOF

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then ask yum to update available packages:
yum update
  • Restart Zimbra services as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually on Proxy node for FOSS and NETWORK

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata
yum check-update
  • Then upgrade the packages:
yum install zimbra-proxy-patch
  • Restart Zimbra services as zimbra user:
su - zimbra
zmcontrol restart

Configure the source list on Ubuntu system

You must configure the sources list on your Ubuntu Configuration :

8.8.15

  • UBUNTU 14.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra
EOF
  • UBUNTU 16.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra
EOF
  • UBUNTU 18.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra
EOF

9.0.0

  • UBUNTU 14.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra
EOF
  • UBUNTU 16.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra
EOF
  • UBUNTU 18.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF
deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra
deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra
EOF

Installing zimbra packages with system package upgrades

  • As root, upgrade the packages.
apt-get update
apt-get upgrade
  • Restart Zimbra services as zimbra user:
su - zimbra
zmcontrol restart

Installing Zimbra packages individually on Proxy node for FOSS and NETWORK

  • As root, upgrade the packages.
apt-get update
apt-get install zimbra-proxy-patch
  • Restart Zimbra services as zimbra user:
su - zimbra
zmcontrol restart

How to configure TLS 1.3

  • Add TLSv1.3 to exist zimbraReverseProxySSLProtocols.
$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2
$ zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
  • Add TLSv1.3 cipher TLS_AES_256_GCM_SHA384 to exist zimbraReverseProxySSLCiphers
$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4
$ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'
$ zmproxyctl restart
Jump to: navigation, search