Errata in the release notes of 8.8.15 P20

Ask questions about your setup or get help installing ZCS server (ZD section below).
Post Reply
florianh
Posts: 31
Joined: Sat Sep 13, 2014 12:36 am

Errata in the release notes of 8.8.15 P20

Post by florianh »

Hi all,

I've just been sending this to Zimbra support already, but maybe it helps someone here in the meantime, too:

While installing the patch 20 for v8.8.15, I came across the following two errors in the release notes https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20 .
I assume that this also applies to the ones for v9.0.

1. The option zimbraReverseProxySSLProtocols is defined as "multi":

Code: Select all

$ zmprov desc -a zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols
    SSL protocols enabled for the proxy

               type : string
              value :
           callback :
          immutable : false
        cardinality : multi
         requiredIn :
         optionalIn : server,globalConfig
              flags : serverInherited
           defaults : TLSv1,TLSv1.1,TLSv1.2
                min :
                max :
                 id : 1653
    requiresRestart :
              since : 8.6.0
    deprecatedSince :
That's how our configuration looked like:

Code: Select all

$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
Accordingly, the correct modification command is:

Code: Select all

$ zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.3

$ zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3
2. Modifying the mailboxd_java_options, it's important to use an apostrophe instead of quotation marks:

Code: Select all

$ zmlocalconfig -e mailboxd_java_options='-server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.net.preferIPv4Stack=true -Djavax.net.debug=ssl,handshake,data'
Otherwise, the "${networkaddress_cache_ttl}" will be interpreted by the shell and typically be set to an empty string.


Kind regards
Florian
User avatar
porokh
Posts: 17
Joined: Tue May 14, 2019 10:02 am
Location: Ukraine
ZCS/ZD Version: 8.8.15 RHEL7 FOSS

Re: Errata in the release notes of 8.8.15 P20

Post by porokh »

This patch (8.8.15_P20) looks like less tested before release. When I apply it on a test ZCS instance (CentOS 7), there were warnings after yum update "zimbra*"

Code: Select all

  Updating   : zimbra-postfix-3.5.6-1zimbra8.7b3.el7.x86_64              43/100 
WARNING: An illegal reflective access operation has occurred
WARNING: Illegal reflective access by org.python.google.common.base.internal.Finalizer (file:/opt/zimbra/lib/jars/jython-standalone-2.5.2.jar) to field java.lang.Thread.inheritableThreadLocals
WARNING: Please consider reporting this to the maintainers of org.python.google.common.base.internal.Finalizer
WARNING: Use --illegal-access=warn to enable warnings of further illegal reflective access operations
WARNING: All illegal access operations will be denied in a future release
stty: standard input: Inappropriate ioctl for device
  Updating   : zimbra-mta-components-1.0.11-1zimbra8.8b1.el7.x86_64      44/100 
Two days of lazy testing shows no problem, so I applied this patch on productive instance -- and warnings were repeated exactly. I hope it will disappear in the future patches.
Post Reply