guam tls settings

hede kolab983 at der-he.de
Sun Dec 8 11:43:01 CET 2019


Hi list, 

On Fri, 18 Oct 2019 17:14:31 +0200 Milan Petrovic <petrovic.milan at gmail.com> wrote:

> [...]
> 993/tcp   open   imaps
> | ssl-enum-ciphers:
> |   TLSv1.0:
> |     ciphers:
> |       TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
> |       TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> |       TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C
> |       TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
> |       TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
> |       TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
> |       TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> |       TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> [...]

btw. if you wanna remove TLSv1.0 or limit cipher suites this is quite also possible with guam via the sys.config.

Just as an example for port 993:

                    {
                        imaps, [
                            { port, 993 },
                            { implicit_tls, true },
                            { imap_server, imaps },
                            {
                                rules, [
                                    { filter_groupware, [] }
                                ]
                            },
                            {
                                tls_config, [
                                    { keyfile, "/etc/certbot/[domain]/privkey.pem" },
                                    { certfile, "/etc/certbot/[domain]/cert.pem" },
                                    { cacertfile, "/etc/certbot/[domain]/fullchain.pem" },
                                    { dhfile, "/etc/ssl/dhparams.pem" },
                                    { versions, [ 'tlsv1.1', 'tlsv1.2' ] },
                                    { honor_cipher_order, true }
                                    %%{ ciphers, ["DHE-RSA-AES256-GCM-SHA384","DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","DHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-AES128-SHA256","ECDHE-RSA-AES256-SHA384","ECDHE-RSA-AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256","AES256-SHA256","AES128-GCM-SHA256"] }
                                ]
                            }
                        ]
                    }

(this is just an example, you'll find the stub within the config; including a Let's Encrypt certs config; the dhparams file can be created with openssl; commenting in the cipher list will limit tls to Version 1.2 obsoleting the "versions" directive; adapt it also for other ports)

regards 
hede


More information about the users mailing list