Changes

From SME Server
Jump to navigationJump to search
3,710 bytes added ,  15:54, 28 April 2020
SSL TLS and Cipher Settings
=SSL Settings=

Further to some recent discussions on PCI-DSS compliance this is a guide to updating some of the security settings in SME Server.

Currently SSLv2, SSLv3 and TLSv1.0 should not be used.

SME Server can use TLS v1.2 and TLS v1.1 but due to the openssl version it cannot provide TLSv1.3

==SSL/TLS==

Disabling TLSv1.0 per service

===HTTPS===

Remove TLSv1.0 port 443

config setprop httpd-e-smith TLSv1 disabled
expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd-e-smith restart

===IMAPS===

Remove TLSv1.0 port 993 imaps (dovecot)

config setprop dovecot TLSv1 disabled
signal-event email-update

===SMTPS===

Remove TLSv1.0 port 465

config setprop qpsmtpd TLSv1 disabled
signal-event email-update

===POP3S===

POP3s is really a secure stunnel connection back to standard POP3

Remove TLSv1.0 port 995

config setprop pop3s TLSv1 disabled
signal-event email-update

==Ciphers==

First we should add a template fragment for pop3s

mkdir -p /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/
cp /etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/
nano /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/10ssl

Add these lines after "$OUT .= "options = NO_TLSv1\n" unless ($pop3s{TLSv1} || 'enabled') eq 'enabled';"

# Disable weak ciphers
$OUT .= "ciphers = " . ($pop3s{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";

Save.

Now we can set and overall Cipher or per service.

Overall we can use (There is no separate setting for https)
config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

If we set modSSL overall we can then change the following per service:

config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop ldap pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

Expand all templates and restart:

signal-event post-upgrade;signal-event reboot

==Other settings==

===Existing keys===

For reference here are the existing keys in /etc/e-smith/templates

etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';

===Preferred Ciphers===

When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do have a specific Cipher setting to restrict it to these:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

===Testing===

https://www.ssllabs.com

Test with:
nmap -p <port> --script ssl-enum-ciphers youserver.com

e.g.
nmap -p 995 --script ssl-enum-ciphers youserver.com

Test with:
openssl s_client -connect youserver.com:<port> -tls1

e.g.
openssl s_client -connect youserver.com:465 -tls1

Confirm access to TLSv1.1:
openssl s_client -connect youserver.com:465 -tls1_1

Note: if you server supports the protocal
You will get:
Protocol : TLSvX
Cipher : XXX

(You my need to CTL C out)

If not, you will get
Secure Renegotiation IS NOT supported


[[category:developer]]
[[category:advanced]]

Navigation menu