This is my proposal for the DB format. Defaults for ns 7.4
tls=configuration
policy=legacy
- Define an event
tls-policy-save
: every package that uses TLS must subscribe it - An UI is required (but should be really simple, just a page with a dropdown menu to select the policy)
- Starting from 7.5 we can use dates as policy values (for instance
policy=20180330
) - Policy upgrade must be manual
- If a package does not implement the selected policy, it must apply the strongest one it knows
- A package may choose to raise the policy level to a minimum standard (e.g.
httpd-admin
)
Why not use an existing DB key? pki
is for server certificate management, that is a separate issue.
Package list, so far
- [ ] nethserver-directory (slapd)
- [ ] nethserver-mail-server (dovecot)
- [ ] nethserver-smarthost (postfix)
- [ ] nethserver-openssh (sshd)
- [ ] nethserver-httpd (httpd) -- requires a migrate fragment for `SSLCipherSuite` prop and honor customized values
- [ ] nethserver-httpd-admin? -- this is already hardened separately: apply a "minimum policy?"
- [ ] nethserver-ejabberd (ejabberd)
- [ ] nethserver-mysql (!)
- [ ] nethserver-postgresql (?)
- [ ] nethserver-sssd (is a network client)
- [ ] openvpn and ipsec networks
- ...
/cc @dev_team