Difference between revisions of "SSL Settings"
Jump to navigation
Jump to search
(SSL TLS and Cipher Settings) |
|||
| (13 intermediate revisions by 4 users not shown) | |||
| Line 41: | Line 41: | ||
config setprop pop3s TLSv1 disabled | config setprop pop3s TLSv1 disabled | ||
signal-event email-update | signal-event email-update | ||
| + | {{Note box|This is only available on SME9, for SME10 POP3 is handled by dovecot.}} | ||
| + | |||
| + | ===Dovecot=== | ||
| + | For windows 10 require TLSv1.2 to be enabled Default is disabled | ||
| + | |||
| + | [root@sme10a4 ~]# config show dovecot | ||
| + | dovecot=service | ||
| + | Quotas=enabled | ||
| + | status=enabled | ||
| + | |||
| + | # config setprop dovecot TLSv1.2 enabled | ||
| + | # signal-event email-update | ||
| + | |||
| + | [root@sme10a4 ~]# config show dovecot | ||
| + | dovecot=service | ||
| + | Quotas=enabled | ||
| + | TLSv1.2=enabled | ||
| + | status=enabled | ||
==Ciphers== | ==Ciphers== | ||
| Line 57: | Line 75: | ||
Save. | Save. | ||
| − | Now we can set | + | Now we can set an overall Cipher, or per service. |
Overall we can use (There is no separate setting for https) | Overall we can use (There is no separate setting for https) | ||
| Line 65: | Line 83: | ||
config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' | config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' | ||
| − | config setprop | + | config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' |
| − | config setprop | + | config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' |
Expand all templates and restart: | Expand all templates and restart: | ||
| Line 72: | Line 90: | ||
signal-event post-upgrade;signal-event reboot | signal-event post-upgrade;signal-event reboot | ||
| − | ==Other | + | ==Other informations== |
| − | ===Existing | + | ===Existing templates=== |
For reference here are the existing keys in /etc/e-smith/templates | For reference here are the existing keys in /etc/e-smith/templates | ||
| − | etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n"; | + | /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n"; |
| − | etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; | + | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; |
| − | etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' } | + | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' } |
| − | var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; | + | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'; |
| + | those are fthe te,plate for protocols | ||
| + | |||
| + | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol | ||
| + | |||
| + | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls | ||
| + | |||
| + | /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl | ||
| + | |||
| + | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols | ||
| + | |||
| + | /etc/e-smith/templates/etc/proftpd.conf/06ModTLS | ||
| + | |||
| + | === Existing keys and properties === | ||
| + | {| class="wikitable" | ||
| + | |+ | ||
| + | !Key | ||
| + | !Property | ||
| + | !default SME9 | ||
| + | !default SME10 | ||
| + | !template | ||
| + | !informations | ||
| + | |- | ||
| + | |modSSL | ||
| + | |CipherSuite | ||
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite | ||
| + | |for httpd | ||
| + | |- | ||
| + | |dovecot | ||
| + | |CipherSuite | ||
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl | ||
| + | |default to modSSL(CipherSuite) if exists | ||
| + | |- | ||
| + | |ldap | ||
| + | |CipherSuite | ||
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |/etc/e-smith/templates/etc/openldap/slapd.conf/12tls | ||
| + | |default to modSSL(CipherSuite) if exists | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |CipherSuite | ||
| + | |HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ||
| + | |/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers | ||
| + | |default to modSSL(CipherSuite) if exists | ||
| + | |- | ||
| + | |pop3s | ||
| + | |CipherSuite | ||
| + | |'''none''' | ||
| + | |'''moved to dovecot''' | ||
| + | | | ||
| + | |'''needs template custom see above''' | ||
| + | |- | ||
| + | |httpd-e-smith | ||
| + | |SSLv2 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | rowspan="5" |/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol | ||
| + | | | ||
| + | |- | ||
| + | |httpd-e-smith | ||
| + | |SSLv3 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |httpd-e-smith | ||
| + | |TLSv1 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |httpd-e-smith | ||
| + | |TLSv1.1 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |httpd-e-smith | ||
| + | |TLSv1.2 | ||
| + | |'''none''' | ||
| + | |enabled | ||
| + | | | ||
| + | |- | ||
| + | |dovecot | ||
| + | |SSLv2 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | rowspan="5" |/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl | ||
| + | | | ||
| + | |- | ||
| + | |dovecot | ||
| + | |SSLv3 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |dovecot | ||
| + | |TLSv1 | ||
| + | |enabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |dovecot | ||
| + | |TLSv1.1 | ||
| + | |enabled | ||
| + | |disabled | ||
| + | | | ||
| + | |- | ||
| + | |dovecot | ||
| + | |TLSv1.2 | ||
| + | |'''none''' | ||
| + | |enabled | ||
| + | | | ||
| + | |- | ||
| + | |pop3s | ||
| + | |SSLv2 | ||
| + | |disabled | ||
| + | |'''moved to dovecot''' | ||
| + | | rowspan="4" |/etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl | ||
| + | | | ||
| + | |- | ||
| + | |pop3s | ||
| + | |SSLv3 | ||
| + | |disabled | ||
| + | |'''moved to dovecot''' | ||
| + | | | ||
| + | |- | ||
| + | |pop3s | ||
| + | |TLSv1 | ||
| + | |enabled | ||
| + | |'''moved to dovecot''' | ||
| + | | | ||
| + | |- | ||
| + | |pop3s | ||
| + | |TLSv1.1 | ||
| + | |'''none''' | ||
| + | |'''moved to dovecot''' | ||
| + | |'''needs template custom''' for SME9 | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |SSLv2 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |SSLv3 | ||
| + | |disabled | ||
| + | |disabled | ||
| + | |/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols | ||
| + | | | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |TLSv1 | ||
| + | |enabled | ||
| + | |enabled | ||
| + | | | ||
| + | |more permissive to allow oportunistic encrypted email transfer between smtp | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |TLSv1.1 | ||
| + | |'''none''' | ||
| + | |enabled | ||
| + | | | ||
| + | |more permissive to allow oportunistic encrypted email transfer between smtp | ||
| + | |- | ||
| + | |qpsmtpd | ||
| + | |TLSv1.2 | ||
| + | |'''none''' | ||
| + | |enabled | ||
| + | | | ||
| + | | | ||
| + | |- | ||
| + | |ftp | ||
| + | |none | ||
| + | |none (no TLS on SME9) | ||
| + | |none | ||
| + | |/etc/e-smith/templates/etc/proftpd.conf/06ModTLS | ||
| + | |TLSProtocol TLSv1.1 TLSv1.2 | ||
| + | |- | ||
| + | |ldap | ||
| + | |SSLv3 | ||
| + | |disabled | ||
| + | |'''removed''' | ||
| + | |/etc/e-smith/templates/etc/openldap/slapd.conf/12tls | ||
| + | |TLSProtocolMin '3.0'(enabled) or '3.1'(disabled) | ||
| + | |- | ||
| + | |ldap | ||
| + | |TLSProtocolMin | ||
| + | |'''none''' | ||
| + | |TLSv1.2 | ||
| + | |/etc/e-smith/templates/etc/openldap/slapd.conf/12tls | ||
| + | |SSLv3,TLSv1,TLSv1,1, TLSv1.2 | ||
| + | |} | ||
===Preferred Ciphers=== | ===Preferred Ciphers=== | ||
| − | When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do have a specific Cipher setting to restrict it to these: | + | When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do not have a specific Cipher setting to restrict it to these: |
| − | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) | + | TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) |
| − | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) | + | TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) |
| − | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) | + | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) |
| − | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) | + | TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030) |
| − | + | ==Testing== | |
| + | ===Sites=== | ||
https://www.ssllabs.com | https://www.ssllabs.com | ||
| + | |||
| + | https://testssl.sh/ | ||
| + | and | ||
| + | https://github.com/drwetter/testssl.sh | ||
| + | |||
| + | ===Commands=== | ||
Test with: | Test with: | ||
| Line 111: | Line 336: | ||
openssl s_client -connect youserver.com:465 -tls1_1 | openssl s_client -connect youserver.com:465 -tls1_1 | ||
| − | Note: if | + | Note: if your server supports the protocol, You will get: |
| − | You will get: | ||
Protocol : TLSvX | Protocol : TLSvX | ||
Cipher : XXX | Cipher : XXX | ||
| Line 118: | Line 342: | ||
(You my need to CTL C out) | (You my need to CTL C out) | ||
| − | If not, you will get | + | If your server does not support the protocol, you will get |
Secure Renegotiation IS NOT supported | Secure Renegotiation IS NOT supported | ||
| − | + | ||
| − | + | [[category:developer]] | |
| − | [[category:developer]] | + | |
| − | [[category:advanced]] | + | |
| + | [[category:advanced]] | ||
Latest revision as of 16:38, 17 May 2020
SSL Settings
Further to some recent discussions on PCI-DSS compliance this is a guide to updating some of the security settings in SME Server.
Currently SSLv2, SSLv3 and TLSv1.0 should not be used.
SME Server can use TLS v1.2 and TLS v1.1 but due to the openssl version it cannot provide TLSv1.3
SSL/TLS
Disabling TLSv1.0 per service
HTTPS
Remove TLSv1.0 port 443
config setprop httpd-e-smith TLSv1 disabled expand-template /etc/httpd/conf/httpd.conf /etc/init.d/httpd-e-smith restart
IMAPS
Remove TLSv1.0 port 993 imaps (dovecot)
config setprop dovecot TLSv1 disabled signal-event email-update
SMTPS
Remove TLSv1.0 port 465
config setprop qpsmtpd TLSv1 disabled signal-event email-update
POP3S
POP3s is really a secure stunnel connection back to standard POP3
Remove TLSv1.0 port 995
config setprop pop3s TLSv1 disabled signal-event email-update
Dovecot
For windows 10 require TLSv1.2 to be enabled Default is disabled
[root@sme10a4 ~]# config show dovecot dovecot=service Quotas=enabled status=enabled
# config setprop dovecot TLSv1.2 enabled # signal-event email-update
[root@sme10a4 ~]# config show dovecot dovecot=service Quotas=enabled TLSv1.2=enabled status=enabled
Ciphers
First we should add a template fragment for pop3s
mkdir -p /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/ cp /etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/ nano /etc/e-smith/templates-custom/var/service/pop3s/stunnel.conf/10ssl
Add these lines after "$OUT .= "options = NO_TLSv1\n" unless ($pop3s{TLSv1} || 'enabled') eq 'enabled';"
# Disable weak ciphers
$OUT .= "ciphers = " . ($pop3s{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
Save.
Now we can set an overall Cipher, or per service.
Overall we can use (There is no separate setting for https)
config setprop modSSL CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
If we set modSSL overall we can then change the following per service:
config setprop ldap CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' config setprop qpsmtpd tlsCipher 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' config setprop pop3s CipherSuite 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4'
Expand all templates and restart:
signal-event post-upgrade;signal-event reboot
Other informations
Existing templates
For reference here are the existing keys in /etc/e-smith/templates
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl:12:$OUT .= "ssl_cipher_list = " . ($dovecot{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4') . "\n";
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite:4: $OUT .= $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls:2:TLSCipherSuite { $ldap{CipherSuite} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4' }
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers:3: return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
those are fthe te,plate for protocols
/etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol
/etc/e-smith/templates/etc/openldap/slapd.conf/12tls
/etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl
/etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols
/etc/e-smith/templates/etc/proftpd.conf/06ModTLS
Existing keys and properties
| Key | Property | default SME9 | default SME10 | template | informations |
|---|---|---|---|---|---|
| modSSL | CipherSuite | HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL10SSLCipherSuite | for httpd |
| dovecot | CipherSuite | HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl | default to modSSL(CipherSuite) if exists |
| ldap | CipherSuite | HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls | default to modSSL(CipherSuite) if exists |
| qpsmtpd | CipherSuite | HIGH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4 | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_ciphers/10ciphers | default to modSSL(CipherSuite) if exists |
| pop3s | CipherSuite | none | moved to dovecot | needs template custom see above | |
| httpd-e-smith | SSLv2 | disabled | disabled | /etc/e-smith/templates/etc/httpd/conf/httpd.conf/35SSL30SSLProtocol | |
| httpd-e-smith | SSLv3 | disabled | disabled | ||
| httpd-e-smith | TLSv1 | disabled | disabled | ||
| httpd-e-smith | TLSv1.1 | disabled | disabled | ||
| httpd-e-smith | TLSv1.2 | none | enabled | ||
| dovecot | SSLv2 | disabled | disabled | /etc/e-smith/templates/etc/dovecot/dovecot.conf/35ssl | |
| dovecot | SSLv3 | disabled | disabled | ||
| dovecot | TLSv1 | enabled | disabled | ||
| dovecot | TLSv1.1 | enabled | disabled | ||
| dovecot | TLSv1.2 | none | enabled | ||
| pop3s | SSLv2 | disabled | moved to dovecot | /etc/e-smith/templates/var/service/pop3s/stunnel.conf/10ssl | |
| pop3s | SSLv3 | disabled | moved to dovecot | ||
| pop3s | TLSv1 | enabled | moved to dovecot | ||
| pop3s | TLSv1.1 | none | moved to dovecot | needs template custom for SME9 | |
| qpsmtpd | SSLv2 | disabled | disabled | ||
| qpsmtpd | SSLv3 | disabled | disabled | /etc/e-smith/templates/var/service/qpsmtpd/config/tls_protocols/10protocols | |
| qpsmtpd | TLSv1 | enabled | enabled | more permissive to allow oportunistic encrypted email transfer between smtp | |
| qpsmtpd | TLSv1.1 | none | enabled | more permissive to allow oportunistic encrypted email transfer between smtp | |
| qpsmtpd | TLSv1.2 | none | enabled | ||
| ftp | none | none (no TLS on SME9) | none | /etc/e-smith/templates/etc/proftpd.conf/06ModTLS | TLSProtocol TLSv1.1 TLSv1.2 |
| ldap | SSLv3 | disabled | removed | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls | TLSProtocolMin '3.0'(enabled) or '3.1'(disabled) |
| ldap | TLSProtocolMin | none | TLSv1.2 | /etc/e-smith/templates/etc/openldap/slapd.conf/12tls | SSLv3,TLSv1,TLSv1,1, TLSv1.2 |
Preferred Ciphers
When testing at ssllabs.com we can see that these are the only Ciphers it feels are secure but currently we do not have a specific Cipher setting to restrict it to these:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 (0x9e) TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 (0xc02f) TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 (0x9f) TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (0xc030)
Testing
Sites
https://testssl.sh/ and https://github.com/drwetter/testssl.sh
Commands
Test with:
nmap -p <port> --script ssl-enum-ciphers youserver.com
e.g.
nmap -p 995 --script ssl-enum-ciphers youserver.com
Test with:
openssl s_client -connect youserver.com:<port> -tls1
e.g.
openssl s_client -connect youserver.com:465 -tls1
Confirm access to TLSv1.1:
openssl s_client -connect youserver.com:465 -tls1_1
Note: if your server supports the protocol, You will get:
Protocol : TLSvX Cipher : XXX
(You my need to CTL C out)
If your server does not support the protocol, you will get
Secure Renegotiation IS NOT supported