TLS policy page

Thanks to @stephdl developments we implemented a new Server Manager page: “TLS policy”

Every service listening on a network socket secured by SSL TLS can now adjust its settings according to the selected TLS policy. Stephane provided also a basic set of services that support this new feature:

  • Apache
  • Server Manager
  • OpenSSH
  • Postfix
  • Dovecot

This is the (still under construction) admin’s manual page

This awesome piece of work is now available from the testing repository! C’mon guys! /cc @quality_team

yum --enablerepo=nethserver-testing update

Before releasing them, we should implement a stronger TLS policy also for

  • OpenVPN
  • IPsec
  • Ejabberd

If the new policy “2018-03-30” runs well, it will become the default setup starting from NethServer 7.5


read this for testing please

for now I found two minor bugs only in postfix

  • a warning in postfix

    [root@ns7dev7 ~]# Dec 2 20:18:13 ns7dev7 postfix: /usr/sbin/postconf: warning: /etc/postfix/ unused parameter: tls_ssl_options=NO_COMPRESSION

the doc states postfix must be > 2.11, so we should remove it

  • RC4 is enabled in postfix we need to modify this in /etc/postfix/

    smtpd_tls_exclude_ciphers = aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA:ECDSA

please play with to find errors

1 Like

I’d change labels inside the select box, something like:

  • “Legacy” changed to “Default upstream policy”
  • “2018-03-30” changed to “Hardening 2018-03-30” (not really like it still)
1 Like


Enforced security level
[ Default upstream policy    | v ]

What about “Policy 2018-03-30”

Enforced security level
[ Policy 2018-03-30          | v ]

I like it.

:clap: :clap:

Also for virtual hosts:


I don’t get why we need this :slight_smile:
What is the purpose?

The purpose is giving the system administrator more control over TLS settings. Only the network administrator knows his network clients and can decide the priority of security over backward compatibility with old network clients.

In next iterations we’ll study a policy that applies also to IPsec and OpenVPN. Another package that will adopt this new API in a later step is Ejabberd, which requires some work to upgrade to the new major version.

It would also be good to be able to generate a report like this for our own NethServer installations.

It would not be required for 99% of the cases, but it provides a good high level report that the system administrator can look at to confirm that certain settings are at the correct level at it can be given to the top level non-techie managers and also to the auditors (when required), etc. is the way, but only on CLI

1 Like