ghen wrote: ↑Wed Aug 02, 2023 2:07 pm
In that case, missing TLSv1.0/1.1 are probably not your actual problem.
Maybe it's missing SHA1 signature support in TLSv1.2...
Can you do the following to disable FIPS mode and reduce openssl security level, reverting to your pre-P41 configuration:
As root:
- cp -p /opt/zimbra/common/etc/ssl/{openssl-source.cnf,openssl.cnf}
As zimbra user:
- zmprov mcf zimbraReverseProxySSLCiphers '!DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0'
- zmproxyctl restart
My Actual Problem is ancient computers ( Windows 7 ) can't login with outlook. It's bit hard if i have to upgrade all computers to Windows 10. My boss will hang me because of cost issue
I've applied your config and zmcontrol restart. still not work. here's error Log
Code: Select all
Aug 2 21:25:53 mail postfix/smtps/smtpd[1906858]: connect from unknown[103.84.235.xx]
Aug 2 21:25:53 mail postfix/smtps/smtpd[1906858]: SSL_accept error from unknown[103.84.235.xx]: -1
Aug 2 21:25:53 mail postfix/smtps/smtpd[1906858]: warning: TLS library problem: error:0A000102:SSL routines::unsupported protocol:ssl/statem/statem_srvr.c:1657:
zmprov gcf zimbraReverseProxySSLProtocols
zimbraReverseProxySSLProtocols: TLSv1
zimbraReverseProxySSLProtocols: TLSv1.1
zimbraReverseProxySSLProtocols: TLSv1.2
zimbraReverseProxySSLProtocols: TLSv1.3
[zimbra@mail ~]$ zmprov gcf zimbraReverseProxySSLCiphers
zimbraReverseProxySSLCiphers: !DH:!EDH:!ADH:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:@SECLEVEL=0
[zimbra@mail ~]$ zmlocalconfig mailboxd_java_options
mailboxd_java_options = -server -Dhttps.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djdk.tls.client.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3 -Djava.awt.headless=true -Dsun.net.inetaddr.ttl=${networkaddress_cache_ttl} -Dorg.apache.jasper.compiler.disablejsr199=true -XX:+UseG1GC -XX:SoftRefLRUPolicyMSPerMB=1 -XX:+UnlockExperimentalVMOptions -XX:G1NewSizePercent=15 -XX:G1MaxNewSizePercent=45 -XX:-OmitStackTraceInFastThrow -verbose:gc -Xlog:gc*=info,safepoint=info:file=/opt/zimbra/log/gc.log:time:filecount=20,filesize=10m -Djava.security.egd=file:/dev/./urandom --add-opens java.base/java.lang=ALL-UNNAMED -Djava.net.preferIPv4Stack=true
[zimbra@mail ~]$ /opt/zimbra/common/bin/openssl list --providers
Providers:
default
name: OpenSSL Default Provider
version: 3.0.9
status: active
fips
name: OpenSSL FIPS Provider
version: 3.0.9
status: active