Changes

From SME Server
Jump to navigationJump to search

SSL Settings (view source)

Revision as of 03:45, 3 May 2020

3,338 bytes added ,  03:45, 3 May 2020
→‎Ciphers
Line 73: Line 73:  
  signal-event post-upgrade;signal-event reboot
 
  signal-event post-upgrade;signal-event reboot
   −
==Other settings==
+
==Other informations==
   −
===Existing keys===
+
===Existing templates===
    
For reference here are the existing keys in /etc/e-smith/templates
 
For reference here are the existing keys in /etc/e-smith/templates
Line 83: Line 83:  
  /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
 
  /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
 
  /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
 
  /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
 +
those are fthe te,plate for protocols
 +
 +
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
 +
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
 +
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
 +
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
 +
/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
 +
=== Existing keys and properties ===
 +
{| class="wikitable"
 +
|+
 +
!Key
 +
!Property
 +
!default SME9
 +
!default SME10
 +
!template
 +
!informations
 +
|-
 +
|modSSL
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
 +
|for httpd
 +
|-
 +
|dovecot
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|ldap
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|qpsmtpd
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|pop3s
 +
|CipherSuite
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|
 +
|'''needs template custom see above'''
 +
|-
 +
|httpd-e-smith
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
|
 +
|-
 +
|httpd-e-smith
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|dovecot
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|
 +
|-
 +
|dovecot
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|pop3s
 +
|SSLv2
 +
|disabled
 +
|'''moved to dovecot'''
 +
| rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl
 +
|
 +
|-
 +
|pop3s
 +
|SSLv3
 +
|disabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1
 +
|enabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1.1
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|'''needs template custom''' for SME9
 +
|-
 +
|qpsmtpd
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
|
 +
|
 +
|-
 +
|qpsmtpd
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
|
 +
|-
 +
|qpsmtpd
 +
|TLSv1
 +
|enabled
 +
|disabled
 +
|
 +
|
 +
|-
 +
|qpsmtpd
 +
|TLSv1.1
 +
|'''none'''
 +
|enabled
 +
|
 +
|more permissive to allow oportunistic encrypted email transfer between smtp
 +
|-
 +
|qpsmtpd
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|
 +
|-
 +
|ftp
 +
|none
 +
|none (no TLS on SME9)
 +
|none
 +
|/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
|TLSProtocol                TLSv1.1 TLSv1.2
 +
|-
 +
|ldap
 +
|SSLv3
 +
|disabled
 +
|
 +
|
 +
|TLSProtocolMin '3.0'(enabled) or '3.1'(disabled)
 +
|}
    
===Preferred Ciphers===
 
===Preferred Ciphers===
Line 127: Line 320:  
If your server does not support the protocol, you will get
 
If your server does not support the protocol, you will get
 
  Secure Renegotiation IS NOT supported
 
  Secure Renegotiation IS NOT supported
 +
   
 +
    [[category:developer]]
 
    
 
    
  [[category:developer]]
+
   
 
+
    [[category:advanced]]
 
  −
  [[category:advanced]]
 
Unnilennium
Super Admin, Wiki & Docs Team, Bureaucrats, Interface administrators, Administrators
3,240

edits

Retrieved from "https://wiki.koozali.org/Special:MobileDiff/38742"

Navigation menu