8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 229
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Postby davidkillingsworth » Wed Jan 13, 2021 4:57 am

Hello,

I noticed in the release note for Zimbra 8.8.15 Patch 15 that OpenSSL and Postfix TLS 1.3 support has been implemented:
https://wiki.zimbra.com/wiki/Zimbra_Rel ... 3_Packages

I also noticed in the release notes for Zimbra 8.8.15 Patch 17 that Nginx 1.19.0 support for TLSv1.3 has been implemented.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17

I do note that these are listed as "beta."

Does that mean that we can go ahead and enable TLS v 1.3 support?

If so, how do we do so and what are the implications?

If we do not have any Outlook 2010 clients, can or should we disable TLS v 1.0 and 1.1 support?

Thanks,
David


jjakob
Posts: 9
Joined: Thu Jan 14, 2021 1:13 pm

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Postby jjakob » Thu Jan 14, 2021 1:28 pm

I tried to enable TLSv1.3 in 8.8.15p17, but nginx complained:

Code: Select all

[warn] 9488#0: invalid value "TLSv1.3" in /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default:41


Apparently TLSv1.3 is only available via a beta repository you need to manually add: https://wiki.zimbra.com/wiki/Nginx_PackageUpgrade
I'm not sure why this beta functionality was advertised in the patch 17 release. If you read the not bold and orange text, it links you to the above URL mentioning the beta package, which is easy to miss (since you're distracted by the bold orange text saying p17 adds support for TLSv1.3)

My updated Ubuntu 16.04 system only has zimbra-proxy-patch version p16. zimbra-patch is at p17 as expected. So not all component patches seem to be included in the main patch release.
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 229
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3829.UBUNTU14.64 -Patch 1

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Postby davidkillingsworth » Thu Apr 08, 2021 4:15 am

It looks like this is finally available as of 8.8.15 Patch 20.

https://blog.zimbra.com/2021/04/zimbra- ... s-support/

The blog post doesn't give any instructions on what needs to be done, if any, to ensure that it is enabled and any older versions of TLS are disabled.

Anyone have any ideas on how to make sure that we are protected?

Thanks,
David
jjakob
Posts: 9
Joined: Thu Jan 14, 2021 1:13 pm

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Postby jjakob » Thu Apr 08, 2021 2:19 pm

I followed the only the last step in https://wiki.zimbra.com/wiki/Nginx_PackageUpgrade#How_to_configure_TLS_1.3
only partially:

Code: Select all

zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'

This enabled TLSv1.3 on nginx (so any services you have going through it).
I tested my installation with testssl.sh afterwards. TLS_AES_256_GCM_SHA384 was already offered without adding it to zimbraReverseProxySSLCiphers. I also tested all the services that don't go through nginx in my case (admin console 7071, IMAP, postfix 25, 587) and they all offered TLSv1.3, so it seems nothing else is required to enable it.
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 579
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 8.8.15_P20 RHEL6 Network Edition
Contact:

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Postby JDunphy » Thu Apr 08, 2021 2:46 pm

That is good to know... There are 2 locations that I have seen that reference how-to.

1) Release notes for the patch: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20
2) wiki - https://wiki.zimbra.com/wiki/Enable_TLS1.3

Return to “Administrators”

Who is online

Users browsing this forum: No registered users and 20 guests