In /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default I have "ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" and "proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;" to which I had initially thought to try removing TLSv1 and restarting the proxy. All that did was upon restart replaced what was removed.
So if this is not the correct configuration file, can someone point me to the correct one? Basically I need to allow TLSv1.1 and 1.2 only for the proxy.
Edit:
I have tried zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2 and zmprov gcf zimbraReverseProxySSLProtocols shows now: zimbraReverseProxySSLProtocols: TLSv1.2
However https://www.ssllabs.com still shows TLSv1 and 1.1
Edit #2: I now see in https://ssl-tools.net/mailservers that I have TLSv1 and week ciphers enabled for SERVER1 but not on SERVER2. My problem seems to be there is no consistency or pattern to resolve.
SERVER1: /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default
ssl_protocols TLSv1.2;
proxy_ssl_protocols TLSv1.2;
Still shows TLSv1 and TLSv1.1
SERVER2: /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default
ssl_protocols TLSv1.2;
proxy_ssl_protocols TLSv1.2;
Shows only TLSv1.2
SERVER1: /opt/zimbra/common/conf/main.cf
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_exclude_ciphers = RC4, aNULL
Shows TLSv1 and RC4
SERVER2: /opt/zimbra/common/conf/main.cf
smtp_tls_exclude_ciphers = RC4, aNULL
smtpd_tls_exclude_ciphers = RC4, aNULL
Shows ONLY TLSv1.2 and no weak ciphers
On both servers I have run nearly identical commands to configure, and in the web gui they match. I ran zmlocalconfig and compared the two servers but nothing stuck out that I could notice, or I wasnt looking at it correctly.
Can anyone help? I need to get all week ciphers disabled for SMTP, HTTPS, IMAP and TLSv1 disabled (TLSv1.1 is accepted for now)
TLSv1 disable in nginx?
Re: TLSv1 disable in nginx?
Please set only two protocols:
zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.1
zmprov gcf zimbraReverseProxySSLProtocols
You will see:
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.1
zmcontrol restart
That's it.
zmprov mcf zimbraReverseProxySSLProtocols TLSv1.2
zmprov mcf +zimbraReverseProxySSLProtocols TLSv1.1
zmprov gcf zimbraReverseProxySSLProtocols
You will see:
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.1
zmcontrol restart
That's it.