We are excited to announce a significant update to Axigen, starting with version 10.5.12, where we are transitioning from OpenSSL 1.1.1 to OpenSSL 3. This change is crucial for enhancing the security of your Axigen deployment. In this blog post, we will explore the reasons behind this move and its impact, as well as provide guidance on how to smoothly transition to the new version.
Why OpenSSL 3
OpenSSL 1.1.1, a cornerstone of our security infrastructure, has reached its end-of-life as of September 11, 2023. As a result, it will no longer receive publicly available security fixes beyond this date. To ensure the continued robustness of our security protocols, we are upgrading to OpenSSL 3, which brings improved security measures and sets the path forward in order to address future vulnerabilities.
Why Openssl 3 Is Only Available in X5 (10.5.X)
Axigen X5 uses a completely new infrastructure for handling embedded libraries and adopts Bitdefender AntiMalware and AntiSpam, replacing the outdated Cyren solution. Due to the significant differences, supporting OpenSSL 3 in the Axigen X3 and X4 versions would be very challenging, leading us to include OpenSSL 3 exclusively in Axigen X5. We strongly encourage all users to upgrade to Axigen X5 for enhanced performance and security.
Potential Impact on Your Axigen Deployment
OpenSSL 3 comes with hardened security at core.
On the other hand, the email space, where Axigen operates, presents a unique landscape marked by diversity and legacy systems.
The ongoing discussion within our team regarding the delicate balance between security and usability has led us to embrace the spirit of the OpenSSL 3 hardened security, aligning our practices with the enhanced measures introduced by the new version. This decision reflects our dedication to providing a secure environment for your communication infrastructure, but it also means that certain functionalities of current Axigen deployments may experience an impact. Further details on the specific changes and the services potentially affected can be found below.
1. Default Disabling of TLS 1.0 and 1.1
Following the formal deprecation in RFC 8996, TLS 1.0 and 1.1, along with associated ciphers, are now disabled by default. This affects service listeners (SMTP, IMAP, WebMail, etc.) and internal SSL clients (LDAP, Remote POP, IMAP migration, SMTP sending).
2. Default Certificate Validation
In alignment with OpenSSL's security enhancements, SSL certificates will now be more extensively validated: if a certificate's validity date has expired, the subject does not match the actual domain name, or the certificate authority is not trusted, the connection will not be established. This includes test clusters using self-signed certificates.
3. Deprecation of Unsafe Legacy Renegotiation
Legacy renegotiation, associated with TLSv1.2 and earlier, is deprecated in OpenSSL 3. This impacts various services, including LDAP, RPOP, IMAP Migration, SMTP Sending, SMTP Receiving, POP3, POP3 Proxy, IMAP, and IMAP Proxy.
Test the New Version to Identify Tuning Needs
Before upgrading to Axigen 10.5.12 with OpenSSL 3 in a production environment, we strongly recommend testing the new version on a dedicated platform. This ensures a smooth transition and allows you to address any issues that may arise during the testing phase.
If you’re encountering any issues or need to further fine tune some of the settings, please seek assistance from our tech support team.