Difference between revisions of "SSL Settings"

From SME Server
(SSL TLS and Cipher Settings)
 
 
(13 intermediate revisions by 4 users not shown)
Line 41: Line 41:
 
  config setprop pop3s TLSv1 disabled
 
  config setprop pop3s TLSv1 disabled
 
  signal-event email-update
 
  signal-event email-update
 +
{{Note box|This is only available on SME9, for SME10 POP3 is handled by dovecot.}}
 +
 +
===Dovecot===
 +
For windows 10 require TLSv1.2 to be enabled Default is disabled
 +
 +
[root@sme10a4 ~]# config show dovecot
 +
dovecot=service
 +
Quotas=enabled
 +
status=enabled
 +
 +
# config setprop dovecot TLSv1.2 enabled
 +
# signal-event email-update
 +
 +
[root@sme10a4 ~]# config show dovecot
 +
dovecot=service
 +
Quotas=enabled
 +
TLSv1.2=enabled
 +
status=enabled
  
 
==Ciphers==
 
==Ciphers==
Line 57: Line 75:
 
Save.
 
Save.
  
Now we can set and overall Cipher or per service.
+
Now we can set an overall Cipher, or per service.
  
 
Overall we can use (There is no separate setting for https)
 
Overall we can use (There is no separate setting for https)
Line 65: Line 83:
  
 
  config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
 
  config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
  config setprop ldap qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
+
  config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
  config setprop ldap pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
+
  config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
  
 
Expand all templates and restart:
 
Expand all templates and restart:
Line 72: Line 90:
 
  signal-event post-upgrade;signal-event reboot
 
  signal-event post-upgrade;signal-event reboot
  
==Other settings==
+
==Other informations==
  
===Existing keys===
+
===Existing templates===
  
 
For reference here are the existing keys in /etc/e-smith/templates
 
For reference here are the existing keys in /etc/e-smith/templates
  
  etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
+
  /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
  etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4:    $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+
  /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4:    $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
  etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
+
  /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite        { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
  var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+
  /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
 +
those are fthe te,plate for protocols
 +
 
 +
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
 
 +
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
 
 +
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
 
 +
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
 
 +
/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
 
 +
=== Existing keys and properties ===
 +
{| class="wikitable"
 +
|+
 +
!Key
 +
!Property
 +
!default SME9
 +
!default SME10
 +
!template
 +
!informations
 +
|-
 +
|modSSL
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite
 +
|for httpd
 +
|-
 +
|dovecot
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|ldap
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|qpsmtpd
 +
|CipherSuite
 +
|HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers
 +
|default to modSSL(CipherSuite) if exists
 +
|-
 +
|pop3s
 +
|CipherSuite
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|
 +
|'''needs template custom see above'''
 +
|-
 +
|httpd-e-smith
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
 +
|
 +
|-
 +
|httpd-e-smith
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.1
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|httpd-e-smith
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|dovecot
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
| rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
 +
|
 +
|-
 +
|dovecot
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.1
 +
|enabled
 +
|disabled
 +
|
 +
|-
 +
|dovecot
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|-
 +
|pop3s
 +
|SSLv2
 +
|disabled
 +
|'''moved to dovecot'''
 +
| rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl
 +
|
 +
|-
 +
|pop3s
 +
|SSLv3
 +
|disabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1
 +
|enabled
 +
|'''moved to dovecot'''
 +
|
 +
|-
 +
|pop3s
 +
|TLSv1.1
 +
|'''none'''
 +
|'''moved to dovecot'''
 +
|'''needs template custom''' for SME9
 +
|-
 +
|qpsmtpd
 +
|SSLv2
 +
|disabled
 +
|disabled
 +
|
 +
|
 +
|-
 +
|qpsmtpd
 +
|SSLv3
 +
|disabled
 +
|disabled
 +
|/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
 +
|
 +
|-
 +
|qpsmtpd
 +
|TLSv1
 +
|enabled
 +
|enabled
 +
|
 +
|more permissive to allow oportunistic encrypted email transfer between smtp
 +
|-
 +
|qpsmtpd
 +
|TLSv1.1
 +
|'''none'''
 +
|enabled
 +
|
 +
|more permissive to allow oportunistic encrypted email transfer between smtp
 +
|-
 +
|qpsmtpd
 +
|TLSv1.2
 +
|'''none'''
 +
|enabled
 +
|
 +
|
 +
|-
 +
|ftp
 +
|none
 +
|none (no TLS on SME9)
 +
|none
 +
|/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
 +
|TLSProtocol                TLSv1.1 TLSv1.2
 +
|-
 +
|ldap
 +
|SSLv3
 +
|disabled
 +
|'''removed'''
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|TLSProtocolMin '3.0'(enabled) or '3.1'(disabled)
 +
|-
 +
|ldap
 +
|TLSProtocolMin
 +
|'''none'''
 +
|TLSv1.2
 +
|/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
 +
|SSLv3,TLSv1,TLSv1,1, TLSv1.2
 +
|}
  
 
===Preferred Ciphers===
 
===Preferred Ciphers===
  
When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do have a specific Cipher setting to restrict it to these:
+
When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do not have a specific Cipher setting to restrict it to these:
  
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)  
+
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e)  
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
+
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)  
+
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f)  
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
+
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
  
===Testing===
+
==Testing==
  
 +
===Sites===
 
https://www.ssllabs.com
 
https://www.ssllabs.com
 +
 +
https://testssl.sh/
 +
and
 +
https://github.com/drwetter/testssl.sh
 +
 +
===Commands===
  
 
Test with:
 
Test with:
Line 111: Line 336:
 
  openssl s_client -connect youserver.com:465 -tls1_1
 
  openssl s_client -connect youserver.com:465 -tls1_1
  
Note: if you server supports the protocal
+
Note: if your server supports the protocol, You will get:
You will get:
 
 
  Protocol : TLSvX
 
  Protocol : TLSvX
 
  Cipher : XXX
 
  Cipher : XXX
Line 118: Line 342:
 
(You my need to CTL C out)
 
(You my need to CTL C out)
  
If not, you will get
+
If your server does not support the protocol, you will get
 
  Secure Renegotiation IS NOT supported
 
  Secure Renegotiation IS NOT supported
 
+
     
 
+
      [[category:developer]]
[[category:developer]]
+
     
[[category:advanced]]
+
     
 +
      [[category:advanced]]

Latest revision as of 15:38, 17 May 2020

SSL Settings

Further to some recent discussions on PCI-DSS compliance this is a guide to updating some of the security settings in SME Server.

Currently SSLv2, SSLv3 and TLSv1.0 should not be used.

SME Server can use TLS v1.2 and TLS v1.1 but due to the openssl version it cannot provide TLSv1.3

SSL/TLS

Disabling TLSv1.0 per service

HTTPS

Remove TLSv1.0 port 443

config setprop httpd-e-smith TLSv1 disabled 
expand-template /etc/httpd/conf/httpd.conf
/etc/init.d/httpd-e-smith restart

IMAPS

Remove TLSv1.0 port 993 imaps (dovecot)

config setprop dovecot TLSv1 disabled
signal-event email-update

SMTPS

Remove TLSv1.0 port 465

config setprop qpsmtpd TLSv1 disabled
signal-event email-update

POP3S

POP3s is really a secure stunnel connection back to standard POP3

Remove TLSv1.0 port 995

config setprop pop3s TLSv1 disabled
signal-event email-update
Important.png Note:
This is only available on SME9, for SME10 POP3 is handled by dovecot.


Dovecot

For windows 10 require TLSv1.2 to be enabled Default is disabled

[root@sme10a4 ~]# config show dovecot
dovecot=service
Quotas=enabled
status=enabled
# config setprop dovecot TLSv1.2 enabled
# signal-event email-update
[root@sme10a4 ~]# config show dovecot
dovecot=service
Quotas=enabled
TLSv1.2=enabled
status=enabled

Ciphers

First we should add a template fragment for pop3s

mkdir -p /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/
cp /etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/
nano /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/10ssl

Add these lines after "$OUT .= "options = NO_TLSv1\n" unless ($pop3s{TLSv1} || 'enabled') eq 'enabled';"

# Disable weak ciphers
$OUT .= "ciphers = " . ($pop3s{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";

Save.

Now we can set an overall Cipher, or per service.

Overall we can use (There is no separate setting for https)

config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

If we set modSSL overall we can then change the following per service:

config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'

Expand all templates and restart:

signal-event post-upgrade;signal-event reboot

Other informations

Existing templates

For reference here are the existing keys in /etc/e-smith/templates

/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4:    $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite         { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3:    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';

those are fthe te,plate for protocols

/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol

/etc/e-smith/templates/etc/openldap/slapd.conf/12tls

/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl

/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols

/etc/e-smith/templates/etc/proftpd.conf/06ModTLS

Existing keys and properties

Key Property default SME9 default SME10 template informations
modSSL CipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite for httpd
dovecot CipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl default to modSSL(CipherSuite) if exists
ldap CipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 /etc/e-smith/templates/etc/openldap/slapd.conf/12tls default to modSSL(CipherSuite) if exists
qpsmtpd CipherSuite HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers default to modSSL(CipherSuite) if exists
pop3s CipherSuite none moved to dovecot needs template custom see above
httpd-e-smith SSLv2 disabled disabled /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
httpd-e-smith SSLv3 disabled disabled
httpd-e-smith TLSv1 disabled disabled
httpd-e-smith TLSv1.1 disabled disabled
httpd-e-smith TLSv1.2 none enabled
dovecot SSLv2 disabled disabled /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
dovecot SSLv3 disabled disabled
dovecot TLSv1 enabled disabled
dovecot TLSv1.1 enabled disabled
dovecot TLSv1.2 none enabled
pop3s SSLv2 disabled moved to dovecot /etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl
pop3s SSLv3 disabled moved to dovecot
pop3s TLSv1 enabled moved to dovecot
pop3s TLSv1.1 none moved to dovecot needs template custom for SME9
qpsmtpd SSLv2 disabled disabled
qpsmtpd SSLv3 disabled disabled /etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
qpsmtpd TLSv1 enabled enabled more permissive to allow oportunistic encrypted email transfer between smtp
qpsmtpd TLSv1.1 none enabled more permissive to allow oportunistic encrypted email transfer between smtp
qpsmtpd TLSv1.2 none enabled
ftp none none (no TLS on SME9) none /etc/e-smith/templates/etc/proftpd.conf/06ModTLS TLSProtocol TLSv1.1 TLSv1.2
ldap SSLv3 disabled removed /etc/e-smith/templates/etc/openldap/slapd.conf/12tls TLSProtocolMin '3.0'(enabled) or '3.1'(disabled)
ldap TLSProtocolMin none TLSv1.2 /etc/e-smith/templates/etc/openldap/slapd.conf/12tls SSLv3,TLSv1,TLSv1,1, TLSv1.2

Preferred Ciphers

When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do not have a specific Cipher setting to restrict it to these:

TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) 
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f)
TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) 
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)

Testing

Sites

https://www.ssllabs.com

https://testssl.sh/ and https://github.com/drwetter/testssl.sh

Commands

Test with:

nmap -p <port> --script ssl-enum-ciphers youserver.com

e.g.

nmap -p 995 --script ssl-enum-ciphers youserver.com

Test with:

openssl s_client -connect youserver.com:<port> -tls1

e.g.

openssl s_client -connect youserver.com:465 -tls1

Confirm access to TLSv1.1:

openssl s_client -connect youserver.com:465 -tls1_1

Note: if your server supports the protocol, You will get:

Protocol : TLSvX
Cipher : XXX

(You my need to CTL C out)

If your server does not support the protocol, you will get

Secure Renegotiation IS NOT supported