Line 73: |
Line 73: |
| signal-event post-upgrade;signal-event reboot | | signal-event post-upgrade;signal-event reboot |
| | | |
− | ==Other settings== | + | ==Other informations== |
| | | |
− | ===Existing keys=== | + | ===Existing templates=== |
| | | |
| For reference here are the existing keys in /etc/e-smith/templates | | For reference here are the existing keys in /etc/e-smith/templates |
Line 83: |
Line 83: |
| /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' } | | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' } |
| /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; | | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; |
| + | those are fthe te,plate for protocols |
| + | |
| + | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol |
| + | |
| + | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls |
| + | |
| + | /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl |
| + | |
| + | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols |
| + | |
| + | /etc/e-smith/templates/etc/proftpd.conf/06ModTLS |
| + | |
| + | === Existing keys and properties === |
| + | {| class="wikitable" |
| + | |+ |
| + | !Key |
| + | !Property |
| + | !default SME9 |
| + | !default SME10 |
| + | !template |
| + | !informations |
| + | |- |
| + | |modSSL |
| + | |CipherSuite |
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite |
| + | |for httpd |
| + | |- |
| + | |dovecot |
| + | |CipherSuite |
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl |
| + | |default to modSSL(CipherSuite) if exists |
| + | |- |
| + | |ldap |
| + | |CipherSuite |
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |/etc/e-smith/templates/etc/openldap/slapd.conf/12tls |
| + | |default to modSSL(CipherSuite) if exists |
| + | |- |
| + | |qpsmtpd |
| + | |CipherSuite |
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 |
| + | |/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers |
| + | |default to modSSL(CipherSuite) if exists |
| + | |- |
| + | |pop3s |
| + | |CipherSuite |
| + | |'''none''' |
| + | |'''moved to dovecot''' |
| + | | |
| + | |'''needs template custom see above''' |
| + | |- |
| + | |httpd-e-smith |
| + | |SSLv2 |
| + | |disabled |
| + | |disabled |
| + | | rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol |
| + | | |
| + | |- |
| + | |httpd-e-smith |
| + | |SSLv3 |
| + | |disabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |httpd-e-smith |
| + | |TLSv1 |
| + | |disabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |httpd-e-smith |
| + | |TLSv1.1 |
| + | |disabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |httpd-e-smith |
| + | |TLSv1.2 |
| + | |'''none''' |
| + | |enabled |
| + | | |
| + | |- |
| + | |dovecot |
| + | |SSLv2 |
| + | |disabled |
| + | |disabled |
| + | | rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl |
| + | | |
| + | |- |
| + | |dovecot |
| + | |SSLv3 |
| + | |disabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |dovecot |
| + | |TLSv1 |
| + | |enabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |dovecot |
| + | |TLSv1.1 |
| + | |enabled |
| + | |disabled |
| + | | |
| + | |- |
| + | |dovecot |
| + | |TLSv1.2 |
| + | |'''none''' |
| + | |enabled |
| + | | |
| + | |- |
| + | |pop3s |
| + | |SSLv2 |
| + | |disabled |
| + | |'''moved to dovecot''' |
| + | | rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl |
| + | | |
| + | |- |
| + | |pop3s |
| + | |SSLv3 |
| + | |disabled |
| + | |'''moved to dovecot''' |
| + | | |
| + | |- |
| + | |pop3s |
| + | |TLSv1 |
| + | |enabled |
| + | |'''moved to dovecot''' |
| + | | |
| + | |- |
| + | |pop3s |
| + | |TLSv1.1 |
| + | |'''none''' |
| + | |'''moved to dovecot''' |
| + | |'''needs template custom''' for SME9 |
| + | |- |
| + | |qpsmtpd |
| + | |SSLv2 |
| + | |disabled |
| + | |disabled |
| + | | |
| + | | |
| + | |- |
| + | |qpsmtpd |
| + | |SSLv3 |
| + | |disabled |
| + | |disabled |
| + | |/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols |
| + | | |
| + | |- |
| + | |qpsmtpd |
| + | |TLSv1 |
| + | |enabled |
| + | |disabled |
| + | | |
| + | | |
| + | |- |
| + | |qpsmtpd |
| + | |TLSv1.1 |
| + | |'''none''' |
| + | |enabled |
| + | | |
| + | |more permissive to allow oportunistic encrypted email transfer between smtp |
| + | |- |
| + | |qpsmtpd |
| + | |TLSv1.2 |
| + | |'''none''' |
| + | |enabled |
| + | | |
| + | | |
| + | |- |
| + | |ftp |
| + | |none |
| + | |none (no TLS on SME9) |
| + | |none |
| + | |/etc/e-smith/templates/etc/proftpd.conf/06ModTLS |
| + | |TLSProtocol TLSv1.1 TLSv1.2 |
| + | |- |
| + | |ldap |
| + | |SSLv3 |
| + | |disabled |
| + | | |
| + | | |
| + | |TLSProtocolMin '3.0'(enabled) or '3.1'(disabled) |
| + | |} |
| | | |
| ===Preferred Ciphers=== | | ===Preferred Ciphers=== |
Line 127: |
Line 320: |
| If your server does not support the protocol, you will get | | If your server does not support the protocol, you will get |
| Secure Renegotiation IS NOT supported | | Secure Renegotiation IS NOT supported |
| + | |
| + | [[category:developer]] |
| | | |
− | [[category:developer]]
| + | |
− |
| + | [[category:advanced]] |
− |
| |
− | [[category:advanced]]
| |