TLS 1.0 and TLS 1.1 protocols removal

Hi,

Having used NS for over a year, I found that last week it fell-over and died - reason unknown! On a daily basis it was successfully defending against typically 2,000+ failed log-ins. Maybe one of these were eventually successful?

Anyway, having reinstalled and tested a new NS, I find this 2 minute test of my NS: https://www.ssllabs.com/ssltest/analyze.html?d=therivermersey.com . Presently, the NS achieves an overall score of “A” - which is VERY good! However, the testing system will down-rate that same set-up to “B” next month purely because NS still supports TLS 1.0 & TLS 1.1 ( https://blog.qualys.com/ssllabs/2018/11/19/grade-change-for-tls-1-0-and-tls-1-1-protocols?_ga=2.85012249.1265987208.1576420553-952891402.1576420553 )

Could the developers consider making available a menu of check-boxes for users to selectively choose which TLS versions are available on their NS installations, please?

With that and a few other “tweaks”, it might be possible to get a NS installation to be rated “A+”!

Many thanks

3 Likes

You’re right, it’s time to update our TLS policy.

However we can do it by following our approach and releasing a new “TLS policy” number. Thus I’d avoid adding UI checkboxes to disable specific protocols.

If we are smart enough we’ll do it for every TLS-based service on NethServer 7.7. Let’s start experimenting.

I moved your post to a new thread, because I’m afraid that TLS policy and PCI compliance are still far to find an agreement!

:slight_smile: I hope this makes a step forward in that direction though

Hi, many thanks for your reply.

My reason for asking for option boxes on each policy is that it would allow each NS installation to be tailored as needed for TLS.

Some users might require choose to offer the support of TLS 1.0 whereas others might prefer to have a tighter/stricter installation that has TLS 1.0 and 1.1 turned off. As mentioned in my previous post, supporting TLS 1.0 and 1.1 from next month will harm the security rating of any such system from next month onwards.

Ok, we can also split the upgrade in two distinct policies: the first one disables 1.0, the second one (also) 1.1, so that everyone can gradually enforce the new security trends.

To save development and QA times, both will be tested and released together.

What do you think?

1 Like

Hi,

Well we already have menus for users to select options on say, samba and the associated scripts - would it be overly difficult to do something similar as a TLS policy sub menu?

A radio button could select between your preference of it being handled fully automatically or a manual option would then allow the specific selections of the various policies?

The River Mersey

+1 (XMPP too)

https://tls.imirhil.fr/
https://xmpp.net/

1 Like