Hello,
I noticed in the release note for Zimbra 8.8.15 Patch 15 that OpenSSL and Postfix TLS 1.3 support has been implemented:
https://wiki.zimbra.com/wiki/Zimbra_Rel ... 3_Packages
I also noticed in the release notes for Zimbra 8.8.15 Patch 17 that Nginx 1.19.0 support for TLSv1.3 has been implemented.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17
I do note that these are listed as "beta."
Does that mean that we can go ahead and enable TLS v 1.3 support?
If so, how do we do so and what are the implications?
If we do not have any Outlook 2010 clients, can or should we disable TLS v 1.0 and 1.1 support?
Thanks,
David
8.8.15 Patch 15 - How to enable TLS v 1.3 support?
-
- Outstanding Member
- Posts: 251
- Joined: Sat Sep 13, 2014 2:26 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?
I tried to enable TLSv1.3 in 8.8.15p17, but nginx complained:
Apparently TLSv1.3 is only available via a beta repository you need to manually add: https://wiki.zimbra.com/wiki/Nginx_PackageUpgrade
I'm not sure why this beta functionality was advertised in the patch 17 release. If you read the not bold and orange text, it links you to the above URL mentioning the beta package, which is easy to miss (since you're distracted by the bold orange text saying p17 adds support for TLSv1.3)
My updated Ubuntu 16.04 system only has zimbra-proxy-patch version p16. zimbra-patch is at p17 as expected. So not all component patches seem to be included in the main patch release.
Code: Select all
[warn] 9488#0: invalid value "TLSv1.3" in /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default:41
I'm not sure why this beta functionality was advertised in the patch 17 release. If you read the not bold and orange text, it links you to the above URL mentioning the beta package, which is easy to miss (since you're distracted by the bold orange text saying p17 adds support for TLSv1.3)
My updated Ubuntu 16.04 system only has zimbra-proxy-patch version p16. zimbra-patch is at p17 as expected. So not all component patches seem to be included in the main patch release.
-
- Outstanding Member
- Posts: 251
- Joined: Sat Sep 13, 2014 2:26 am
- ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24
Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?
It looks like this is finally available as of 8.8.15 Patch 20.
https://blog.zimbra.com/2021/04/zimbra- ... s-support/
The blog post doesn't give any instructions on what needs to be done, if any, to ensure that it is enabled and any older versions of TLS are disabled.
Anyone have any ideas on how to make sure that we are protected?
Thanks,
David
https://blog.zimbra.com/2021/04/zimbra- ... s-support/
The blog post doesn't give any instructions on what needs to be done, if any, to ensure that it is enabled and any older versions of TLS are disabled.
Anyone have any ideas on how to make sure that we are protected?
Thanks,
David
Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?
I followed the only the last step in https://wiki.zimbra.com/wiki/Nginx_Pack ... re_TLS_1.3
only partially:
This enabled TLSv1.3 on nginx (so any services you have going through it).
I tested my installation with testssl.sh afterwards. TLS_AES_256_GCM_SHA384 was already offered without adding it to zimbraReverseProxySSLCiphers. I also tested all the services that don't go through nginx in my case (admin console 7071, IMAP, postfix 25, 587) and they all offered TLSv1.3, so it seems nothing else is required to enable it.
only partially:
Code: Select all
zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
I tested my installation with testssl.sh afterwards. TLS_AES_256_GCM_SHA384 was already offered without adding it to zimbraReverseProxySSLCiphers. I also tested all the services that don't go through nginx in my case (admin console 7071, IMAP, postfix 25, 587) and they all offered TLSv1.3, so it seems nothing else is required to enable it.
- JDunphy
- Outstanding Member
- Posts: 897
- Joined: Fri Sep 12, 2014 11:18 pm
- Location: Victoria, BC
- ZCS/ZD Version: 9.0.0_P39 NETWORK Edition
Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?
That is good to know... There are 2 locations that I have seen that reference how-to.
1) Release notes for the patch: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20
2) wiki - https://wiki.zimbra.com/wiki/Enable_TLS1.3
1) Release notes for the patch: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20
2) wiki - https://wiki.zimbra.com/wiki/Enable_TLS1.3