TLS policy page

testing

(Davide Principi) #1

Thanks to @stephdl developments we implemented a new Server Manager page: “TLS policy”

Every service listening on a network socket secured by SSL TLS can now adjust its settings according to the selected TLS policy. Stephane provided also a basic set of services that support this new feature:

  • Apache
  • Server Manager
  • OpenSSH
  • Postfix
  • Dovecot

This is the (still under construction) admin’s manual page

http://docs.nethserver.org/en/latest/tlspolicy.html

This awesome piece of work is now available from the testing repository! C’mon guys! /cc @quality_team

yum --enablerepo=nethserver-testing update

Before releasing them, we should implement a stronger TLS policy also for

  • OpenVPN
  • IPsec
  • Ejabberd

If the new policy “2018-03-30” runs well, it will become the default setup starting from NethServer 7.5


GDPR and SSL hardening
(Stéphane de Labrusse) #2

read this for testing please https://github.com/NethServer/dev/issues/5421#issuecomment-377354423

for now I found two minor bugs only in postfix

  • a warning in postfix

    [root@ns7dev7 ~]# Dec 2 20:18:13 ns7dev7 postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_options=NO_COMPRESSION

the doc states postfix must be > 2.11, so we should remove it

  • RC4 is enabled in postfix we need to modify this in /etc/postfix/main.cf

    tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:kEDH:CAMELLIA128-SHA:AES128-SHA
    smtpd_tls_exclude_ciphers = aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA:ECDSA

please play with testssl.sh to find errors


(Giacomo Sanchietti) #3

I’d change labels inside the select box, something like:

  • “Legacy” changed to “Default upstream policy”
  • “2018-03-30” changed to “Hardening 2018-03-30” (not really like it still)

(Davide Principi) #4

+1

Enforced security level
[ Default upstream policy    | v ]

What about “Policy 2018-03-30”

Enforced security level
[ Policy 2018-03-30          | v ]

(Giacomo Sanchietti) #5

I like it.


(Giacomo Sanchietti) #6

:clap: :clap:

Also for virtual hosts:


(Alessio Fattorini) #7

I don’t get why we need this :slight_smile:
What is the purpose?


(Davide Principi) #8

The purpose is giving the system administrator more control over TLS settings. Only the network administrator knows his network clients and can decide the priority of security over backward compatibility with old network clients.

In next iterations we’ll study a policy that applies also to IPsec and OpenVPN. Another package that will adopt this new API in a later step is Ejabberd, which requires some work to upgrade to the new major version.


(James Nesbitt) #9

It would also be good to be able to generate a report like this for our own NethServer installations.

It would not be required for 99% of the cases, but it provides a good high level report that the system administrator can look at to confirm that certain settings are at the correct level at it can be given to the top level non-techie managers and also to the auditors (when required), etc.


(Stéphane de Labrusse) #10

testssl.sh is the way, but only on CLI