Page 1 of 1

8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Posted: Wed Jan 13, 2021 4:57 am
by davidkillingsworth
Hello,

I noticed in the release note for Zimbra 8.8.15 Patch 15 that OpenSSL and Postfix TLS 1.3 support has been implemented:
https://wiki.zimbra.com/wiki/Zimbra_Rel ... 3_Packages

I also noticed in the release notes for Zimbra 8.8.15 Patch 17 that Nginx 1.19.0 support for TLSv1.3 has been implemented.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17

I do note that these are listed as "beta."

Does that mean that we can go ahead and enable TLS v 1.3 support?

If so, how do we do so and what are the implications?

If we do not have any Outlook 2010 clients, can or should we disable TLS v 1.0 and 1.1 support?

Thanks,
David

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Posted: Thu Jan 14, 2021 1:28 pm
by jjakob
I tried to enable TLSv1.3 in 8.8.15p17, but nginx complained:

Code: Select all

[warn] 9488#0: invalid value "TLSv1.3" in /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default:41


Apparently TLSv1.3 is only available via a beta repository you need to manually add: https://wiki.zimbra.com/wiki/Nginx_PackageUpgrade
I'm not sure why this beta functionality was advertised in the patch 17 release. If you read the not bold and orange text, it links you to the above URL mentioning the beta package, which is easy to miss (since you're distracted by the bold orange text saying p17 adds support for TLSv1.3)

My updated Ubuntu 16.04 system only has zimbra-proxy-patch version p16. zimbra-patch is at p17 as expected. So not all component patches seem to be included in the main patch release.