Enabling TLS 1.3, removing v1 and v1.1 and ensuring that only strong ciphers are used

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Enabling TLS 1.3, removing v1 and v1.1 and ensuring that only strong ciphers are used

Post by davidkillingsworth »

I have been going through the process of enabling TLS 1.3 after updating to 8.8.15 Patch 20. At the same time, I am disabling TLSv1 and TLSv1.1

The documentation is here:
https://wiki.zimbra.com/wiki/Enable_TLS1.3

I found that I also had to issue these commands:

Code: Select all

zmprov mcf -zimbraMailboxdSSLProtocols TLSv1
zmprov mcf -zimbraMailboxdSSLProtocols TLSv1.1
zmprov mcf +zimbraMailboxdSSLProtocols TLSv1.3
I also double checked these commands to make sure that !SSLv1 was not included

Code: Select all

zmprov gcf zimbraMtaSmtpTlsProtocols
zmprov gcf zimbraMtaSmtpdTlsProtocols
zmprov gcf zimbraMtaSmtpTlsMandatoryProtocols
zmprov gcf zimbraMtaSmtpdTlsMandatoryProtocols
I ran SSL tests against several different sites including Qualys SSL test at http://www.ssllabs.com

I now get a B grade because of weak ciphers. I looked at the Zimbra wiki and it seems to be out of date. It shows last updated as of Zimbra 8.6
https://wiki.zimbra.com/wiki/Cipher_suites

Does anybody know what the latest version of cipher suites should be that only include TLSv1.2 and TLSv1.3 and pass modern SSL check sites?
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 889
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: Enabling TLS 1.3, removing v1 and v1.1 and ensuring that only strong ciphers are used

Post by JDunphy »

User avatar
ccelis5215
Outstanding Member
Outstanding Member
Posts: 632
Joined: Sat Sep 13, 2014 2:04 am
Location: Caracas - Venezuela
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU18.64 P12

Re: Enabling TLS 1.3, removing v1 and v1.1 and ensuring that only strong ciphers are used

Post by ccelis5215 »

Hi,

What about 'Mozilla SSL configuration Generator'?

Obviously, after applying the wiki zimbra mentioned by JDunphy.

ccelis
liverpoolfcfan
Elite member
Elite member
Posts: 1096
Joined: Sat Sep 13, 2014 12:47 am

Re: Enabling TLS 1.3, removing v1 and v1.1 and ensuring that only strong ciphers are used

Post by liverpoolfcfan »

On the 8.8.15 P20 FOSS - We use the zimbraReverseProxySSLCiphers in the wiki article linked by JDunphy above - prepended with TLS_AES_256_GCM_SHA384: for TLSv1.3

We get an A+ rating - with individual scores on the right of 100,100,90,90
Post Reply