Skip to content

OpenSSL, Postfix and Nginx TLS 1.3 Beta release

Jump to bottom Edit New page
Barry de Graaff edited this page Jun 22, 2023 · 14 revisions

What's New

NOTE: Beta features are not supported and should not be installed on production systems. Beta modules have been provided for evaluation in lab environments only.

Upgraded 3rd Party OpenSSL from version 1.1.1g to 1.1.1h.

  • OpenSSL 1.1.1h with FIPS support.

Upgraded 3rd Party Postfix from version 3.1.1 to 3.5.6.

  • Postfix 3.5.6 support for TLSv1.3

Upgraded 3rd Party Nginx from version 1.7.1 to 1.19.0

  • Nginx 1.19.0 support for TLSv1.3

Redhat

Configure the yum repository

You must add your local repository to your RHEL/CentOS Configuration :

ZCS 8.8.15

RHEL6

root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel6

gpgcheck=1

enabled=1

EOF

RHEL7

root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel7

gpgcheck=1

enabled=1

EOF

RHEL8

root@zimbra8815:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/8815-tls1_3-beta/rhel8

gpgcheck=1

enabled=1

EOF

ZCS 9.0.0

RHEL6

root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel6

gpgcheck=1

enabled=1

EOF

RHEL7

root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel7

gpgcheck=1

enabled=1

EOF

RHEL8

root@zimbra90:~# cat > /etc/yum.repos.d/zimbra.repo <<EOF

[zimbra]

name=Zimbra RPM Repository

baseurl=https://repo.zimbra.com/rpm/90-tls1_3-beta/rhel8

gpgcheck=1

enabled=1

EOF

Installing Zimbra packages with system package upgrades

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the repository:

    yum clean metadata

    yum check-update

  • Then ask yum to update available packages:

    yum update

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Installing Zimbra packages individually

Upgrade packages on Proxy node for FOSS and NETWORK

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the repository:

    yum clean metadata

    yum check-update

  • Then upgrade the packages:

    yum install zimbra-proxy-patch zimbra-snmp-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on MTA node for FOSS and NETWORK

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the repository:

    yum clean metadata

    yum check-update

  • Then upgrade the packages:

    yum install zimbra-core-components zimbra-dnscache-components zimbra-mta-components zimbra-snmp-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on Mailstore node for FOSS and NETWORK

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the repository:

    yum clean metadata

    yum check-update

  • Then upgrade the packages:

    yum install zimbra-apache-components zimbra-core-components zimbra-snmp-components zimbra-spell-components zimbra-store-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on LDAP node for FOSS and NETWORK

  • As root, first clear the yum cache and check for updates so the server sees all updated packages in the repository:

    yum clean metadata

    yum check-update

  • Then upgrade the packages:

    yum install zimbra-ldap-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Ubuntu

Configure the sources list

ZCS 8.8.15

UBUNTU14

root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta trusty zimbra

EOF

UBUNTU16

root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta xenial zimbra

EOF

UBUNTU18

root@zimbra8815:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/8815-tls1_3-beta bionic zimbra

EOF

ZCS 9.0.0

UBUNTU14

root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta trusty zimbra

EOF

UBUNTU16

root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta xenial zimbra

EOF

UBUNTU18

root@zimbra90:~/# cat > /etc/apt/sources.list.d/zimbra.list << EOF

deb [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra

deb-src [arch=amd64] https://repo.zimbra.com/apt/90-tls1_3-beta bionic zimbra

EOF

Installing zimbra packages with system package upgrades

  • As root, check for updates so the so the server sees all updated packages in the repository:

    apt-get update

  • Then update available packages:

    apt-get upgrade

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Installing zimbra packages individually

Upgrade packages on Proxy node for FOSS and NETWORK

  • Upgrade the packages:

    apt-get update

    apt-get install zimbra-proxy-patch zimbra-snmp-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on MTA node for FOSS and NETWORK

  • Upgrade the packages:

    apt-get update

    apt-get install zimbra-core-components zimbra-dnscache-components zimbra-mta-components zimbra-snmp-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on Mailstore node for FOSS and NETWORK

  • Upgrade the packages:

    apt-get update

    apt-get install zimbra-apache-components zimbra-core-components zimbra-snmp-components zimbra-spell-components zimbra-store-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

Upgrade packages on LDAP node for FOSS and NETWORK

  • Upgrade the packages:

    apt-get update

    apt-get install zimbra-ldap-components

  • Restart ZCS as zimbra user:

    su - zimbra

    zmcontrol restart

ZCS 8.8.15 OpenSSL and Postfix TLS 1.3 Beta Packages for RHEL6, RHEL7, UBUNTU14, UBUNTU16, UBUNTU18

Package Name        Version

zimbra-openssl : 1.1.1h-1zimbra8.7b3

zimbra-postfix : 3.5.6-1zimbra8.7b3

zimbra-nginx : 1.19.0-1zimbra8.8b2

zimbra-mariadb : 10.1.25-1zimbra8.7b3

zimbra-heimdal : 1.5.3-1zimbra8.7b3

zimbra-curl : 7.49.1-1zimbra8.7b3

zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2

zimbra-unbound : 1.11.0-1zimbra8.7b2

zimbra-apr-util : 1.6.1-1zimbra8.7b2

zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4

zimbra-net-snmp : 5.8-1zimbra8.7b2

zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3

zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2

zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3

zimbra-openldap : 2.4.49-1zimbra8.8b4

zimbra-opendkim : 2.10.3-1zimbra8.7b4

zimbra-clamav : 0.102.2-1zimbra8.8b3

zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2

zimbra-perl-net-http : 6.09-1zimbra8.7b3

zimbra-perl-libwww : 6.13-1zimbra8.7b3

zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3

zimbra-perl-xml-parser : 2.44-1zimbra8.7b3

zimbra-perl-soap-lite : 1.19-1zimbra8.7b3

zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3

zimbra-perl-xml-simple : 2.25-1zimbra8.7b3

zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3

zimbra-perl-mail-spamassassin : 3.4.4-1zimbra8.8b3

zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b3

zimbra-perl-innotop : 1.9.1-1zimbra8.7b3

zimbra-httpd : 2.4.38-1zimbra8.7b3

zimbra-perl : 1.0.5-1zimbra8.7b1

zimbra-dnscache-components : 1.0.2-1zimbra8.7b1

zimbra-apache-components : 2.0.3-1zimbra8.8b1

zimbra-spell-components : 2.0.3-1zimbra8.8b1

zimbra-snmp-components : 1.0.3-1zimbra8.7b1

zimbra-mta-components : 1.0.10-1zimbra8.8b1

zimbra-core-components : 2.0.6-1zimbra8.8b1

zimbra-proxy-components : 1.0.7-1zimbra8.8b1

zimbra-store-components : 1.0.3-1zimbra8.7b1

zimbra-ldap-components : 1.0.6-1zimbra8.8b1

zimbra-proxy-patch : 8.8.15.1611806486.p18-1

zimbra-common-core-jar : 8.8.15.1611802800-1

zimbra-mbox-store-libs : 8.8.15.1611802676-1

ZCS 9.0.0 OpenSSL and Postfix TLS 1.3 Beta Packages for RHEL6, RHEL7, UBUNTU14, UBUNTU16, UBUNTU18

Package Name        Version

zimbra-openssl : 1.1.1h-1zimbra8.7b3

zimbra-postfix : 3.5.6-1zimbra8.7b3

zimbra-nginx : 1.19.0-1zimbra8.8b2

zimbra-mariadb : 10.1.25-1zimbra8.7b3

zimbra-heimdal : 1.5.3-1zimbra8.7b3

zimbra-curl : 7.49.1-1zimbra8.7b3

zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2

zimbra-unbound : 1.11.0-1zimbra8.7b2

zimbra-apr-util : 1.6.1-1zimbra8.7b2

zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4

zimbra-net-snmp : 5.8-1zimbra8.7b2

zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3

zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2

zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3

zimbra-openldap : 2.4.49-1zimbra8.8b4

zimbra-opendkim : 2.10.3-1zimbra8.7b4

zimbra-clamav : 0.102.2-1zimbra8.8b3

zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b2

zimbra-perl-net-http : 6.09-1zimbra8.7b3

zimbra-perl-libwww : 6.13-1zimbra8.7b3

zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b3

zimbra-perl-xml-parser : 2.44-1zimbra8.7b3

zimbra-perl-soap-lite : 1.19-1zimbra8.7b3

zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b3

zimbra-perl-xml-simple : 2.25-1zimbra8.7b2

zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3

zimbra-perl-mail-spamassassin : 3.4.4-1zimbra8.8b3

zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b3

zimbra-perl-innotop : 1.9.1-1zimbra8.7b3

zimbra-httpd : 2.4.38-1zimbra8.7b3

zimbra-perl : 1.0.5-1zimbra8.7b1

zimbra-dnscache-components : 1.0.2-1zimbra8.7b1

zimbra-apache-components : 2.0.3-1zimbra8.8b1

zimbra-spell-components : 2.0.3-1zimbra8.8b1

zimbra-snmp-components : 1.0.3-1zimbra8.7b1

zimbra-mta-components : 1.0.10-1zimbra8.8b1

zimbra-core-components : 3.0.2-1zimbra8.8b1

zimbra-proxy-components : 1.0.7-1zimbra8.8b1

zimbra-store-components : 1.0.3-1zimbra8.7b1

zimbra-ldap-components : 1.0.6-1zimbra8.8b1

zimbra-proxy-patch : 9.0.0.1611806590.p11-1

zimbra-common-core-jar : 9.0.0.1611805259-1

zimbra-mbox-store-libs : 9.0.0.1611805410-1

ZCS 8.8.15 OpenSSL and Postfix TLS 1.3 Beta Packages for RHEL8

Package Name        Version

zimbra-openssl : 1.1.1h-1zimbra8.7b3

zimbra-postfix : 3.5.6-1zimbra8.7b3

zimbra-nginx : 1.19.0-1zimbra8.8b2

zimbra-mariadb : 10.1.25-1zimbra8.7b3

zimbra-heimdal : 1.5.3-1zimbra8.7b3

zimbra-curl : 7.49.1-1zimbra8.7b3

zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2

zimbra-unbound : 1.11.0-1zimbra8.7b2

zimbra-apr-util : 1.6.1-1zimbra8.7b2

zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4

zimbra-net-snmp : 5.8-1zimbra8.7b3

zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3

zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2

zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3

zimbra-openldap : 2.4.49-1zimbra8.8b4

zimbra-opendkim : 2.10.3-1zimbra8.7b4

zimbra-clamav : 0.102.2-1zimbra8.8b3

zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3

zimbra-perl-net-http : 6.09-1zimbra8.7b4

zimbra-perl-libwww : 6.13-1zimbra8.7b4

zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4

zimbra-perl-xml-parser : 2.44-1zimbra8.7b4

zimbra-perl-soap-lite : 1.19-1zimbra8.7b4

zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4

zimbra-perl-xml-simple : 2.25-1zimbra8.7b3

zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3

zimbra-perl-mail-spamassassin : 3.4.4-1zimbra8.8b4

zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b4

zimbra-perl-innotop : 1.9.1-1zimbra8.7b4

zimbra-httpd : 2.4.38-1zimbra8.7b3

zimbra-php : 7.3.1-1zimbra8.7b6

zimbra-perl : 1.0.6-1zimbra8.7b1

zimbra-dnscache-components : 1.0.2-1zimbra8.7b1

zimbra-apache-components : 2.0.3-1zimbra8.8b1

zimbra-spell-components : 2.0.3-1zimbra8.8b1

zimbra-snmp-components : 1.0.3-1zimbra8.7b1

zimbra-mta-components : 1.0.10-1zimbra8.8b1

zimbra-core-components : 2.0.6-1zimbra8.8b1

zimbra-proxy-components : 1.0.7-1zimbra8.8b1

zimbra-store-components : 1.0.3-1zimbra8.7b1

zimbra-ldap-components : 1.0.6-1zimbra8.8b1

zimbra-proxy-patch : 8.8.15.1611806486.p18-1

zimbra-common-core-jar : 8.8.15.1611802800-1

zimbra-mbox-store-libs : 8.8.15.1611802676-1

ZCS 9.0.0 OpenSSL and Postfix TLS 1.3 Beta Packages for RHEL8

Package Name        Version

zimbra-openssl : 1.1.1h-1zimbra8.7b3

zimbra-postfix : 3.5.6-1zimbra8.7b3

zimbra-nginx : 1.19.0-1zimbra8.8b2

zimbra-mariadb : 10.1.25-1zimbra8.7b3

zimbra-heimdal : 1.5.3-1zimbra8.7b3

zimbra-curl : 7.49.1-1zimbra8.7b3

zimbra-perl-net-ssleay : 1.88-1zimbra8.7b2

zimbra-unbound : 1.11.0-1zimbra8.7b2

zimbra-apr-util : 1.6.1-1zimbra8.7b2

zimbra-perl-dbd-mysql : 4.050-1zimbra8.7b4

zimbra-net-snmp : 5.8-1zimbra8.7b3

zimbra-perl-crypt-openssl-random : 0.11-1zimbra8.7b3

zimbra-perl-crypt-openssl-rsa : 0.31-1zimbra8.7b2

zimbra-cyrus-sasl : 2.1.26-1zimbra8.7b3

zimbra-openldap : 2.4.49-1zimbra8.8b4

zimbra-opendkim : 2.10.3-1zimbra8.7b4

zimbra-clamav : 0.102.2-1zimbra8.8b3

zimbra-perl-io-socket-ssl : 2.068-1zimbra8.7b3

zimbra-perl-net-http : 6.09-1zimbra8.7b4

zimbra-perl-libwww : 6.13-1zimbra8.7b4

zimbra-perl-lwp-protocol-https : 6.06-1zimbra8.7b4

zimbra-perl-xml-parser : 2.44-1zimbra8.7b4

zimbra-perl-soap-lite : 1.19-1zimbra8.7b4

zimbra-perl-xml-sax-expat : 0.51-1zimbra8.7b4

zimbra-perl-xml-simple : 2.25-1zimbra8.7b3

zimbra-perl-mail-dkim : 0.40-1zimbra8.7b3

zimbra-perl-mail-spamassassin : 3.4.4-1zimbra8.8b4

zimbra-spamassassin-rules : 1.0.0-1zimbra8.8b4

zimbra-perl-innotop : 1.9.1-1zimbra8.7b4

zimbra-httpd : 2.4.38-1zimbra8.7b3

zimbra-php : 7.3.1-1zimbra8.7b6

zimbra-perl : 1.0.6-1zimbra8.7b1

zimbra-dnscache-components : 1.0.2-1zimbra8.7b1

zimbra-apache-components : 2.0.3-1zimbra8.8b1

zimbra-spell-components : 2.0.3-1zimbra8.8b1

zimbra-snmp-components : 1.0.3-1zimbra8.7b1

zimbra-mta-components : 1.0.10-1zimbra8.8b1

zimbra-core-components : 3.0.2-1zimbra8.8b1

zimbra-proxy-components : 1.0.7-1zimbra8.8b1

zimbra-store-components : 1.0.3-1zimbra8.7b1

zimbra-ldap-components : 1.0.6-1zimbra8.8b1

zimbra-proxy-patch : 9.0.0.1611806590.p11-1

zimbra-common-core-jar : 9.0.0.1611805259-1

zimbra-mbox-store-libs : 9.0.0.1611805410-1

Enable FIPS Mode in RHEL6

  1. Confirm that the current openssl version supports fips:

    $ /opt/zimbra/common/bin/openssl version

    OpenSSL 1.1.1h FIPS 22 Sep 2020

  2. Check the output of the following command. It shows if the kernel is already configured for FIPs. It will show 0 if it is NOT enabled.

    $ cat /proc/sys/crypto/fips_enabled

    0

  3. Take a backup of the output ‘blkid’ and ‘df -h’ just in case it is needed for future issues.

    $ blkid > /var/tmp/blkid_bkp_$(date '+%Y_%m_%d')

    $ df -h > /var/tmp/df_bkp__$(date '+%Y_%m_%d')

  4. In /etc/sysconfig/prelink check if the prelink is disabled. This can be done by configuring PRELINKING=no in the configuration file.

    Run command prelink and revert binaries and libraries to their original content before they were prelinked.

    prelink -u -a

  5. Install the dracut-fips.

    yum install dracut-fips

  6. Take a backup of the current initramfs.

    $ cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup

    Ensure the backup of the initramfs has been created.

  7. Recreate the initramfs file:

    $ dracut -f

  8. Edit /etc/grub.conf and append fips=1 boot=/dev/sda1 to the kernel line: . Here /dev/sda1 is boot partition.

  9. Reboot your system.

    $ shutdown -r now

  10. Finally check again if FIPs is now enabled. It will show 1 if it is enabled.

    $ cat /proc/sys/crypto/fips_enabled

    1

  11. Try creating an MD5 hash, which isn’t allowed under FIPS, and you should be greeted with an error message. That tells you that FIPS is working:

    $ /opt/zimbra/common/bin/openssl md5 /dev/null

    Error setting digest

    139634625394496:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:

Enable FIPS Mode in RHEL7

  1. Confirm that the current openssl version supports fips:

    $ /opt/zimbra/common/bin/openssl version

    OpenSSL 1.1.1h FIPS 22 Sep 2020

  2. Check the output of the following command. It shows if the kernel is already configured for FIPs. It will show 0 if it is NOT enabled.

    $ cat /proc/sys/crypto/fips_enabled

    0

  3. Take a backup of the output ‘blkid’ and ‘df -h’ just in case it is needed for future issues.

    $ blkid > /var/tmp/blkid_bkp_$(date '+%Y_%m_%d')

    $ df -h > /var/tmp/df_bkp__$(date '+%Y_%m_%d')

  4. In /etc/sysconfig/prelink check if the prelink is disabled. This can be done by configuring PRELINKING=no in the configuration file.

    Run command prelink and revert binaries and libraries to their original content before they were prelinked.

    prelink -u -a

  5. Install the dracut-fips.

    yum install dracut-fips

  6. Take a backup of the current initramfs.

    $ cp -p /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r).backup

    Ensure the backup of the initramfs has been created.

  7. Recreate the initramfs file:

    $ dracut -f

  8. Modify the kernel command line of the current kernel in the /etc/default/grub, on the GRUB_CMDLINE_LINUX line add the following option at the end of the line: fips=1 boot=/dev/sda1. Here /dev/sda1 is boot partition.

    $ cat /etc/default/grub | grep GRUB_CMDLINE_LINUX=

    GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos/root rd.lvm.lv=centos/swap rhgb quiet net.ifnames=0 biosdevname=0 fips=1 boot=/dev/sda1

  9. Rebuilding the grub.cfg file as follow:

    $ grub2-mkconfig -o /boot/grub2/grub.cfg

  10. Reboot your system.

    $ shutdown -r now

  11. Finally check again if FIPs is now enabled. It will show 1 if it is enabled.

    $ cat /proc/sys/crypto/fips_enabled

    1

  12. Try creating an MD5 hash, which isn’t allowed under FIPS, and you should be greeted with an error message. That tells you that FIPS is working:

    $ /opt/zimbra/common/bin/openssl md5 /dev/null

    Error setting digest

    139634625394496:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:

Enable FIPS Mode in RHEL8

  1. Confirm that the current openssl version supports fips:

    $ /opt/zimbra/common/bin/openssl version

    OpenSSL 1.1.1h FIPS 22 Sep 2020

  2. A command-line tool called fips-mode-setup changes the system to FIPS mode. First, check whether FIPS mode is already enabled:

    $ sudo fips-mode-setup --check

    Installation of FIPS modules is not completed.

    FIPS mode is disabled.

  3. You will see a message informing you that FIPS mode is not yet enabled. Next, pass the --enable flag to the fips-mode-setup command to turn on FIPS mode:

    $ sudo fips-mode-setup --enable

    Kernel initramdisks are being regenerated. This might take some time.

    Setting system policy to FIPS

    Note: System-wide crypto policies are applied on application start-up.

    It is recommended to restart the system for the change of policies to fully take place.

    FIPS mode will be enabled.

    Please reboot the system for the settings to take effect.

  4. You will see a message that says that FIPS mode will be enabled, but that it requires a reboot. After rebooting, check the status again and you should see that FIPS mode is now enabled:

    $ sudo fips-mode-setup --check

    FIPS mode is enabled.

  5. Try creating an MD5 hash, which isn’t allowed under FIPS, and you should be greeted with an error message. That tells you that FIPS is working:

    $ /opt/zimbra/common/bin/openssl md5 /dev/null

    Error setting digest

    139634625394496:error:060800C8:digital envelope routines:EVP_DigestInit_ex:disabled for FIPS:crypto/evp/digest.c:135:

Set below configurations after FIPS enabled

  1. $ postconf -e "lmtp_tls_fingerprint_digest = sha256"

  2. $ zmcontrol restart

How to configure TLS 1.3

  1. Add TLSv1.3 to exist zimbraReverseProxySSLProtocols

    $ zmprov gcf zimbraReverseProxySSLProtocols

    zimbraReverseProxySSLProtocols: TLSv1 TLSv1.1 TLSv1.2

    $ zmprov mcf zimbraReverseProxySSLProtocols 'TLSv1 TLSv1.1 TLSv1.2 TLSv1.3'

  2. Add TLSv1.3 cipher TLS_AES_256_GCM_SHA384 to exist zimbraReverseProxySSLCiphers

    $ zmprov gcf zimbraReverseProxySSLCiphers

    zimbraReverseProxySSLCiphers: ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4

    $ zmprov mcf zimbraReverseProxySSLCiphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128:AES256:TLS_AES_256_GCM_SHA384:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4'

    $ zmproxyctl restart

Add a custom footer
Add a custom sidebar
Clone this wiki locally