für KeyHelp 20.1 planen wir, wie auch schon im Feature Wunsch Forum gewünscht, die TLS Cipher für KeyHelp anzupassen. Im Einzelnen trifft dies die Dienste Apache, Proftpd, Postfix und Dovecot. Basis für die Anpassung ist die Mozilla Empfehlung zur Intermediate Konfiguration (https://ssl-config.mozilla.org/)
Nutzer die dies bereits einmal auf Ihren Systemen testen möchten erhalten hier nun die vorgeschlagenen Änderungen. Feedback ist natürlich willkommen.
Die Konfigurationsschnipsel sind hierbei die für TLS relevanten Ausschnitte, Abschnitte der Konfiguration davor oder dahinter bleiben unverändert. Die Konfiguration unter "Alter Konfiguation" kann entsprechend aus der Datei entfernt und mit der unter "Neue Konfiguration" ersetzt werden.
Apache - Webserver
Konfiguationsdatei: /etc/apache2/mods-enabled/ssl.conf
Alte Konfiguration:
Code: Select all
# SSL Cipher Suite:
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA::AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!ECDHE-RSA-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!DES-CBC3-SHA:!DSS
SSLHonorCipherOrder on
# The protocols to enable
SSLProtocol all -SSLv3 -SSLv2
# OCSP Stapling
#SSLUseStapling on
#SSLStaplingResponderTimeout 5
#SSLStaplingReturnResponderErrors off
#SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocsp(512000)
Code: Select all
# SSL Cipher Suite:
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off
SSLCompression off
SSLSessionTickets off
# OCSP Stapling
SSLUseStapling on
SSLStaplingResponderTimeout 5
SSLStaplingReturnResponderErrors off
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_ocsp(512000)
Konfigurationsdatei: /etc/proftpd/tls.conf
Alte Konfiguration:
Code: Select all
TLSProtocol TLSv1
Code: Select all
TLSProtocol TLSv1.2
TLSCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
Konfigurationsdatei: /etc/postfix/main.cf
Alte Konfiguration:
Code: Select all
## TLS parameters
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_key_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_CAfile = /etc/ssl/keyhelp/mail-ca.crt
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2 !SSLv3
smtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2 !SSLv3
smtp_tls_security_level = may
smtpd_tls_security_level = may
## TLS cypher for PFS
smtp_tls_mandatory_ciphers = high
smtpd_tls_mandatory_ciphers = high
## medium for now, otherwise breakes with older SMTP
smtp_tls_ciphers = medium
smtpd_tls_ciphers = medium
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
Code: Select all
# TLS parameters
smtpd_use_tls = yes
smtpd_tls_auth_only = yes
smtpd_tls_cert_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_key_file = /etc/ssl/keyhelp/mail.pem
smtpd_tls_CAfile = /etc/ssl/keyhelp/mail-ca.crt
smtp_tls_CApath = /etc/ssl/certs
smtpd_tls_CApath = /etc/ssl/certs
smtp_tls_session_cache_database = btree:${data_directory}/smtp_scache
smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
smtpd_tls_session_cache_timeout = 3600s
smtp_tls_mandatory_protocols = !SSLv2 !SSLv3
smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_protocols = !SSLv2 !SSLv3
smtpd_tls_protocols = !SSLv2, !SSLv3, !TLSv1, !TLSv1.1
smtp_tls_security_level = may
smtpd_tls_security_level = may
## TLS Cypher für PFS
smtpd_tls_mandatory_ciphers = high
smtp_tls_mandatory_ciphers = high
## medium for now, otherwise breakes with older SMTP
smtpd_tls_ciphers = medium
smtp_tls_ciphers = medium
smtpd_tls_dh512_param_file = /etc/postfix/dh512.pem
smtpd_tls_dh1024_param_file = /etc/postfix/dh2048.pem
smtpd_tls_exclude_ciphers = RC4, 3DES, aNULL
smtp_tls_exclude_ciphers = RC4, 3DES, aNULL
smtpd_tls_eecdh_grade = ultra
tls_eecdh_strong_curve = prime256v1
tls_eecdh_ultra_curve = secp384r1
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
tls_preempt_cipherlist = no
## TLS Logging im Maillog
smtpd_tls_received_header = yes
smtpd_tls_loglevel = 1
smtp_tls_loglevel = 1
Konfigurationsdatei: /etc/dovecot/dovecot.conf
Alte Konfiguration:
Code: Select all
## ssl settings
ssl = required
ssl_cert = </etc/ssl/keyhelp/mail.pem
ssl_key = </etc/ssl/keyhelp/mail.pem
ssl_ca = </etc/ssl/keyhelp/mail-ca.crt
ssl_protocols = !SSLv3
Code: Select all
## ssl settings
ssl = required
ssl_cert = </etc/ssl/keyhelp/mail.pem
ssl_key = </etc/ssl/keyhelp/mail.pem
ssl_ca = </etc/ssl/keyhelp/mail-ca.crt
ssl_dh_parameters_length = 2048
ssl_protocols = TLSv1.2
ssl_cipher_list = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
ssl_prefer_server_ciphers = no