8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Discuss your pilot or production implementation with other Zimbra admins or our engineers.
Post Reply
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Post by davidkillingsworth »

Hello,

I noticed in the release note for Zimbra 8.8.15 Patch 15 that OpenSSL and Postfix TLS 1.3 support has been implemented:
https://wiki.zimbra.com/wiki/Zimbra_Rel ... 3_Packages

I also noticed in the release notes for Zimbra 8.8.15 Patch 17 that Nginx 1.19.0 support for TLSv1.3 has been implemented.
https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P17

I do note that these are listed as "beta."

Does that mean that we can go ahead and enable TLS v 1.3 support?

If so, how do we do so and what are the implications?

If we do not have any Outlook 2010 clients, can or should we disable TLS v 1.0 and 1.1 support?

Thanks,
David
Top
jjakob
Posts: 10
Joined: Thu Jan 14, 2021 1:13 pm

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Post by jjakob »

I tried to enable TLSv1.3 in 8.8.15p17, but nginx complained:

Code: Select all

[warn] 9488#0: invalid value "TLSv1.3" in /opt/zimbra/conf/nginx/includes/nginx.conf.web.https.default:41
Apparently TLSv1.3 is only available via a beta repository you need to manually add: https://wiki.zimbra.com/wiki/Nginx_PackageUpgrade
I'm not sure why this beta functionality was advertised in the patch 17 release. If you read the not bold and orange text, it links you to the above URL mentioning the beta package, which is easy to miss (since you're distracted by the bold orange text saying p17 adds support for TLSv1.3)

My updated Ubuntu 16.04 system only has zimbra-proxy-patch version p16. zimbra-patch is at p17 as expected. So not all component patches seem to be included in the main patch release.
Top
davidkillingsworth
Outstanding Member
Outstanding Member
Posts: 251
Joined: Sat Sep 13, 2014 2:26 am
ZCS/ZD Version: 8.8.15.GA.3869.UBUNTU14.64-Patch 24

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Post by davidkillingsworth »

It looks like this is finally available as of 8.8.15 Patch 20.

https://blog.zimbra.com/2021/04/zimbra- ... s-support/

The blog post doesn't give any instructions on what needs to be done, if any, to ensure that it is enabled and any older versions of TLS are disabled.

Anyone have any ideas on how to make sure that we are protected?

Thanks,
David
Top
jjakob
Posts: 10
Joined: Thu Jan 14, 2021 1:13 pm

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Post by jjakob »

I followed the only the last step in https://wiki.zimbra.com/wiki/Nginx_Pack ... re_TLS_1.3
only partially:

Code: Select all

zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'
This enabled TLSv1.3 on nginx (so any services you have going through it).
I tested my installation with testssl.sh afterwards. TLS_AES_256_GCM_SHA384 was already offered without adding it to zimbraReverseProxySSLCiphers. I also tested all the services that don't go through nginx in my case (admin console 7071, IMAP, postfix 25, 587) and they all offered TLSv1.3, so it seems nothing else is required to enable it.
Top
User avatar
JDunphy
Outstanding Member
Outstanding Member
Posts: 896
Joined: Fri Sep 12, 2014 11:18 pm
Location: Victoria, BC
ZCS/ZD Version: 9.0.0_P39 NETWORK Edition

Re: 8.8.15 Patch 15 - How to enable TLS v 1.3 support?

Post by JDunphy »

That is good to know... There are 2 locations that I have seen that reference how-to.

1) Release notes for the patch: https://wiki.zimbra.com/wiki/Zimbra_Releases/8.8.15/P20
2) wiki - https://wiki.zimbra.com/wiki/Enable_TLS1.3
Top
Post Reply

Return to “Administrators”