Zimbra 8.8.15 Patch-41 released, share your experience

Ask questions about your setup or get help installing ZCS server (ZD section below).
rainer_d
Advanced member
Advanced member
Posts: 122
Joined: Fri Sep 12, 2014 11:40 pm

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by rainer_d »

hisfran wrote: Thu Jul 27, 2023 7:54 pm Hello,

How do you check for users connecting with TLS 1.0 and 1.1?
rainer_d wrote: Thu Jul 27, 2023 1:31 pm BTW: Does anyone know if it's still possible to use TLS 1.0 with 8.8.15P41?

Yes, we still have that enabled because the last time it was tried to disable, all kinds of people came out of the woods with ancient clients couldn't connect anymore and it had to be reverted.
Now, from my preliminary checks, this has come down significantly.
I installed bro (now called zeek, for political correctness) and after some tweaking, it logged all SSL/TLS connections on the frontends.
Then, I'm matching all the IPs that don't have TLS 1.2 or 1.3 to the logins I see in mailbox.log on the backend.

It's very tedious but at least we can warn these people ahead.

It's planned to switch off TLS 1.0 and 1.1 on Monday and then upgrade to P41 two weeks later (I will be away the week before).
pajari
Zimbra Employee
Zimbra Employee
Posts: 28
Joined: Mon Apr 09, 2018 10:27 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by pajari »

azuza wrote: Fri Jul 28, 2023 9:24 am
pajari wrote: Thu Jul 27, 2023 2:41 pm It is possible to use TLS 1.0 but not recommended. With 8.8.15P41, Zimbra has upgraded OpenSSL to 3.0.9 which does not supports TLS 1.0 and 1.1

If you still want to use <TLS 1.2, you can try following below steps:
1. Disable FIPS provider:
As root user run below commands
cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

2. Set SECLEVEL=0 in openssl.cnf file
Add this to the end of your openssl config file: /opt/zimbra/common/etc/ssl/openssl.cnf
[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=0

3. Restart zimbra services:
su - zimbra
zmcontrol restart
i have tried this too, but it's not working too. This error log keep show and all Windows 7 ( TLSv1.1 & TLSv1.2 enabled ) users couldn't login on Outlook.
Can you share output for below commands:
zmprov gcf zimbraReverseProxySSLProtocols
zmprov gcf zimbraReverseProxySSLCiphers
zmlocalconfig mailboxd_java_options
/opt/zimbra/common/bin/openssl list --providers
sigtrap
Posts: 22
Joined: Sat Sep 13, 2014 1:35 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by sigtrap »

From:
Ubuntu 20.04 Zimbra Patch 38 (with manually fixes for vulnerabilities in Patch 40) single server.
Release 8.8.15.GA.4179.UBUNTU20.64 UBUNTU20_64 FOSS edition, Patch 8.8.15_P37. (I guess Zimbra reported wrong patch level)

To:
Patch 41.
Release 8.8.15.GA.4179.UBUNTU20.64 UBUNTU20_64 FOSS edition, Patch 8.8.15_P41.

Everything good.

Web Interface:
Old version: 8.8.15_GA_4508 20230213090627 20230213-1441 FOSS
New version: 8.8.15_GA_4562 20230707032631 20230707-0800 FOSS

//sigtrap
ghen
Outstanding Member
Outstanding Member
Posts: 308
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by ghen »

pajari wrote: Thu Jul 27, 2023 2:41 pm 2. Set SECLEVEL=0 in openssl.cnf file
Add this to the end of your openssl config file: /opt/zimbra/common/etc/ssl/openssl.cnf
[...]
FWIW, re-enabling TLSv1.0 can also be accomplished by appending ":@SECLEVEL=0" to the cipherstring in zimbraReverseProxySSLCiphers.
(and this is upgrade-proof, whereas editing openssl.cnf is not)

Btw, FIPS also disables the CHACHA20-POLY1305 ciphersuites, which may be worth having for mobile clients without hardware AES support.
azuza
Posts: 6
Joined: Fri Jul 28, 2023 5:45 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by azuza »

pajari wrote: Fri Jul 28, 2023 9:11 pm
azuza wrote: Fri Jul 28, 2023 9:24 am
pajari wrote: Thu Jul 27, 2023 2:41 pm It is possible to use TLS 1.0 but not recommended. With 8.8.15P41, Zimbra has upgraded OpenSSL to 3.0.9 which does not supports TLS 1.0 and 1.1

If you still want to use <TLS 1.2, you can try following below steps:
1. Disable FIPS provider:
As root user run below commands
cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

2. Set SECLEVEL=0 in openssl.cnf file
Add this to the end of your openssl config file: /opt/zimbra/common/etc/ssl/openssl.cnf
[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=0

3. Restart zimbra services:
su - zimbra
zmcontrol restart
i have tried this too, but it's not working too. This error log keep show and all Windows 7 ( TLSv1.1 & TLSv1.2 enabled ) users couldn't login on Outlook.
Can you share output for below commands:
zmprov gcf zimbraReverseProxySSLProtocols
zmprov gcf zimbraReverseProxySSLCiphers
zmlocalconfig mailboxd_java_options
/opt/zimbra/common/bin/openssl list --providers
[zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLProtocols


zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3

[zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

[zimbra@mail ~]$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED -Djava.net.preferIPv4Stack=true

[zimbra@mail ~]$ /opt/zimbra/common/bin/openssl list --providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
llcsys
Posts: 1
Joined: Wed Aug 02, 2023 9:40 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by llcsys »

azuza wrote: Fri Jul 28, 2023 9:24 am
pajari wrote: Thu Jul 27, 2023 2:41 pm It is possible to use TLS 1.0 but not recommended. With 8.8.15P41, Zimbra has upgraded OpenSSL to 3.0.9 which does not supports TLS 1.0 and 1.1

If you still want to use <TLS 1.2, you can try following below steps:
1. Disable FIPS provider:
As root user run below commands
cd /opt/zimbra/common/etc/ssl
cp openssl-source.cnf openssl.cnf

2. Set SECLEVEL=0 in openssl.cnf file
Add this to the end of your openssl config file: /opt/zimbra/common/etc/ssl/openssl.cnf
[openssl_init]
ssl_conf = ssl_sect

[ssl_sect]
system_default = system_default_sect

[system_default_sect]
CipherString = DEFAULT:@SECLEVEL=0

3. Restart zimbra services:
su - zimbra
zmcontrol restart
i have tried this too, but it's not working too. This error log keep show and all Windows 7 ( TLSv1.1 & TLSv1.2 enabled ) users couldn't login on Outlook.
Tried all the same as above, still unable to have Windows 7 and other older devices to login/send email.
ghen
Outstanding Member
Outstanding Member
Posts: 308
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by ghen »

azuza wrote: Wed Aug 02, 2023 5:14 am [zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
These are all TLSv1.2 ciphers. With no TLSv1.0 ciphers in your config, TLSv1.0 and 1.1 are implicitly disabled (regardless of Patch 41 / OpenSSL 3.0 FIPS mode).
azuza
Posts: 6
Joined: Fri Jul 28, 2023 5:45 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by azuza »

ghen wrote: Wed Aug 02, 2023 1:46 pm
azuza wrote: Wed Aug 02, 2023 5:14 am [zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
These are all TLSv1.2 ciphers. With no TLSv1.0 ciphers in your config, TLSv1.0 and 1.1 are implicitly disabled (regardless of Patch 41 / OpenSSL 3.0 FIPS mode).
that's cipher from my another zimbra box ( Patch P38 ) which works on old Windows. I copied and applied that cipher to zimbra p41, it's not working. The default one and cipher from https://wiki.zimbra.com/wiki/Cipher_suites also not working.

Can you give me cipher that compatible with TLSv1.1
ghen
Outstanding Member
Outstanding Member
Posts: 308
Joined: Thu May 12, 2016 1:56 pm
Location: Belgium

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by ghen »

In that case, missing TLSv1.0/1.1 are probably not your actual problem.
Maybe it's missing SHA1 signature support in TLSv1.2...

Can you do the following to disable FIPS mode and reduce openssl security level, reverting to your pre-P41 configuration:

As root:
  • cp -p /opt/zimbra/common/etc/ssl/{openssl-source.cnf,openssl.cnf}
As zimbra user:
  • zmprov mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0'
  • zmproxyctl restart
azuza
Posts: 6
Joined: Fri Jul 28, 2023 5:45 am

Re: Zimbra 8.8.15 Patch-41 released, share your experience

Post by azuza »

ghen wrote: Wed Aug 02, 2023 2:07 pm In that case, missing TLSv1.0/1.1 are probably not your actual problem.
Maybe it's missing SHA1 signature support in TLSv1.2...

Can you do the following to disable FIPS mode and reduce openssl security level, reverting to your pre-P41 configuration:

As root:
  • cp -p /opt/zimbra/common/etc/ssl/{openssl-source.cnf,openssl.cnf}
As zimbra user:
  • zmprov mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0'
  • zmproxyctl restart
My Actual Problem is ancient computers ( Windows 7 ) can't login with outlook. It's bit hard if i have to upgrade all computers to Windows 10. My boss will hang me because of cost issue

I've applied your config and zmcontrol restart. still not work. here's error Log

Code: Select all

Aug  2 21:25:53 mail postfix/smtps/smtpd[1906858]: connect from unknown[103.84.235.xx]
Aug  2 21:25:53 mail postfix/smtps/smtpd[1906858]: SSL_accept error from unknown[103.84.235.xx]: -1
Aug  2 21:25:53 mail postfix/smtps/smtpd[1906858]: warning: TLS library problem: error:0A000102:SSL routines::unsupported protocol:ssl/statem/statem_srvr.c:1657:
zmprov gcf zimbraReverseProxySSLProtocols

zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3

[zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLCiphers

zimbraReverseProxySSLCiphers: !DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0

[zimbra@mail ~]$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED -Djava.net.preferIPv4Stack=true

[zimbra@mail ~]$ /opt/zimbra/common/bin/openssl list --providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active
Post Reply