Nginx PackageUpgrade
Nginx TLS 1.3 Beta release
NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.
Package Installation
This document will guide you to upgrade Nginx TLS 1.3 Beta Package
NOTE : For users who don't have previous beta packages, they would need to install that first. Please refer to the wiki for instructions on installing the packages on the systems.
Configure the yum repository on RedHat/CentOS system
You must add your local repository to your RHEL/CentOS Configuration :
8.8.15
Execute these commands as root
- RHEL 6
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel6 gpgcheck=1 enabled=1 EOF
- RHEL 7
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel7 gpgcheck=1 enabled=1 EOF
- RHEL 8
root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel8 gpgcheck=1 enabled=1 EOF
9.0.0
Execute these commands as root
- RHEL/CentOS 6
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel6 gpgcheck=1 enabled=1 EOF
- RHEL/CentOS 7
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel7 gpgcheck=1 enabled=1 EOF
- RHEL/CentOS 8
root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF [zimbra] name=Zimbra RPM Repository baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel8 gpgcheck=1 enabled=1 EOF
Installing Zimbra packages with system package upgrades
- As
root
, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata yum check-update
- Then ask yum to update available packages:
yum update
- Restart Zimbra services as
zimbra
user:
su - zimbra zmcontrol restart
Installing Zimbra packages individually on Proxy node for FOSS and NETWORK
- As
root
, first clear the yum cache and check for updates so the server sees all updated packages in the patch repository:
yum clean metadata yum check-update
- Then upgrade the packages:
yum install zimbra-proxy-patch
- Restart Zimbra services as
zimbra
user:
su - zimbra zmcontrol restart
Configure the source list on Ubuntu system
You must configure the sources list on your Ubuntu Configuration :
8.8.15
- UBUNTU 14.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra EOF
- UBUNTU 16.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra EOF
- UBUNTU 18.04
root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra EOF
9.0.0
- UBUNTU 14.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra EOF
- UBUNTU 16.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra EOF
- UBUNTU 18.04
root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra EOF
Installing zimbra packages with system package upgrades
- As
root
, upgrade the packages.
apt-get update apt-get upgrade
- Restart Zimbra services as
zimbra
user:
su - zimbra zmcontrol restart
Installing Zimbra packages individually on Proxy node for FOSS and NETWORK
- As
root
, upgrade the packages.
apt-get update apt-get install zimbra-proxy-patch
- Restart Zimbra services as
zimbra
user:
su - zimbra zmcontrol restart
How to configure TLS 1.3
- Add TLSv1.3 to exist
zimbraReverseProxySSLProtocols
.
$ zmprov gcf zimbraReverseProxySSLProtocols zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2 $ zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
- Add TLSv1.3 cipher TLS_AES_256_GCM_SHA384 to exist
zimbraReverseProxySSLCiphers
$ zmprov gcf zimbraReverseProxySSLCiphers zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 $ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4' $ zmproxyctl restart