TLS policy page

davidep · March 29, 2018, 2:25pm

Thanks to @stephdl developments we implemented a new Server Manager page: “TLS policy”

Every service listening on a network socket secured by ~~SSL~~ TLS can now adjust its settings according to the selected TLS policy. Stephane provided also a basic set of services that support this new feature:

Apache
Server Manager
OpenSSH
Postfix
Dovecot

This is the (still under construction) admin’s manual page

http://docs.nethserver.org/en/latest/tlspolicy.html

This awesome piece of work is now available from the testing repository! C’mon guys! /cc @quality_team

yum --enablerepo=nethserver-testing update

Before releasing them, we should implement a stronger TLS policy also for

OpenVPN
IPsec
Ejabberd

If the new policy “2018-03-30” runs well, it will become the default setup starting from NethServer 7.5

stephdl · March 29, 2018, 9:34pm

read this for testing please https://github.com/NethServer/dev/issues/5421#issuecomment-377354423

for now I found two minor bugs only in postfix

a warning in postfix

[root@ns7dev7 ~]# Dec 2 20:18:13 ns7dev7 postfix: /usr/sbin/postconf: warning: /etc/postfix/main.cf: unused parameter: tls_ssl_options=NO_COMPRESSION

the doc states postfix must be > 2.11, so we should remove it

RC4 is enabled in postfix we need to modify this in /etc/postfix/main.cf

tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:kEDH:CAMELLIA128-SHA:AES128-SHA
smtpd_tls_exclude_ciphers = aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA:ECDSA

please play with testssl.sh to find errors

giacomo · March 30, 2018, 7:18am

I’d change labels inside the select box, something like:

“Legacy” changed to “Default upstream policy”
“2018-03-30” changed to “Hardening 2018-03-30” (not really like it still)

davidep · March 30, 2018, 7:21am

+1

Enforced security level
[ Default upstream policy    | v ]

What about “Policy 2018-03-30”

Enforced security level
[ Policy 2018-03-30          | v ]

giacomo · March 30, 2018, 7:24am

I like it.

giacomo · March 30, 2018, 7:53am

Also for virtual hosts:

alefattorini · March 30, 2018, 1:33pm

I don’t get why we need this
What is the purpose?

davidep · March 30, 2018, 1:43pm

The purpose is giving the system administrator more control over TLS settings. Only the network administrator knows his network clients and can decide the priority of security over backward compatibility with old network clients.

In next iterations we’ll study a policy that applies also to IPsec and OpenVPN. Another package that will adopt this new API in a later step is Ejabberd, which requires some work to upgrade to the new major version.

bwdjames · March 30, 2018, 5:12pm

It would also be good to be able to generate a report like this for our own NethServer installations.

It would not be required for 99% of the cases, but it provides a good high level report that the system administrator can look at to confirm that certain settings are at the correct level at it can be given to the top level non-techie managers and also to the auditors (when required), etc.

stephdl · March 30, 2018, 8:05pm

testssl.sh is the way, but only on CLI