Every service listening on a network socket secured by SSL TLS can now adjust its settings according to the selected TLS policy. Stephane provided also a basic set of services that support this new feature:
Apache
Server Manager
OpenSSH
Postfix
Dovecot
This is the (still under construction) admin’s manual page
The purpose is giving the system administrator more control over TLS settings. Only the network administrator knows his network clients and can decide the priority of security over backward compatibility with old network clients.
In next iterations we’ll study a policy that applies also to IPsec and OpenVPN. Another package that will adopt this new API in a later step is Ejabberd, which requires some work to upgrade to the new major version.
It would also be good to be able to generate a report like this for our own NethServer installations.
It would not be required for 99% of the cases, but it provides a good high level report that the system administrator can look at to confirm that certain settings are at the correct level at it can be given to the top level non-techie managers and also to the auditors (when required), etc.