I've just been sending this to Zimbra support already, but maybe it helps someone here in the meantime, too:
While installing the patch 20 for v8.8.15, I came across the following two errors in the release notes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20 .
I assume that this also applies to the ones for v9.0.
1. The option zimbraReverseProxySSLProtocols is defined as "multi":
Code: Select all
$ zmprov desc -a zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols
SSL protocols enabled for the proxy
type : string
value :
callback :
immutable : false
cardinality : multi
requiredIn :
optionalIn : server,globalConfig
flags : serverInherited
defaults : TLSv1,TLSv1.1,TLSv1.2
min :
max :
id : 1653
requiresRestart :
since : 8.6.0
deprecatedSince :
Code: Select all
$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
Code: Select all
$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3
$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3
Code: Select all
$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl,handshake,data'
Kind regards
Florian