guam tls settings
hede
kolab983 at der-he.de
Sun Dec 8 11:43:01 CET 2019
Hi list,
On Fri, 18 Oct 2019 17:14:31 +0200 Milan Petrovic <petrovic.milan at gmail.com> wrote:
> [...]
> 993/tcp open imaps
> | ssl-enum-ciphers:
> | TLSv1.0:
> | ciphers:
> | TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA (dh 2048) - C
> | TLS_DHE_RSA_WITH_AES_128_CBC_SHA (dh 2048) - A
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA (dh 2048) - A
> | TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA (brainpoolP256r1) - C
> | TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA (brainpoolP256r1) - A
> | TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (brainpoolP256r1) - A
> | TLS_RSA_WITH_3DES_EDE_CBC_SHA (rsa 2048) - C
> | TLS_RSA_WITH_AES_128_CBC_SHA (rsa 2048) - A
> | TLS_RSA_WITH_AES_256_CBC_SHA (rsa 2048) - A
> [...]
btw. if you wanna remove TLSv1.0 or limit cipher suites this is quite also possible with guam via the sys.config.
Just as an example for port 993:
{
imaps, [
{ port, 993 },
{ implicit_tls, true },
{ imap_server, imaps },
{
rules, [
{ filter_groupware, [] }
]
},
{
tls_config, [
{ keyfile, "/etc/certbot/[domain]/privkey.pem" },
{ certfile, "/etc/certbot/[domain]/cert.pem" },
{ cacertfile, "/etc/certbot/[domain]/fullchain.pem" },
{ dhfile, "/etc/ssl/dhparams.pem" },
{ versions, [ 'tlsv1.1', 'tlsv1.2' ] },
{ honor_cipher_order, true }
%%{ ciphers, ["DHE-RSA-AES256-GCM-SHA384","DHE-RSA-AES128-SHA256","DHE-RSA-AES256-SHA256","DHE-RSA-AES128-GCM-SHA256","ECDHE-RSA-AES256-GCM-SHA384","ECDHE-RSA-AES128-SHA256","ECDHE-RSA-AES256-SHA384","ECDHE-RSA-AES128-GCM-SHA256","AES256-GCM-SHA384","AES128-SHA256","AES256-SHA256","AES128-GCM-SHA256"] }
]
}
]
}
(this is just an example, you'll find the stub within the config; including a Let's Encrypt certs config; the dhparams file can be created with openssl; commenting in the cipher list will limit tls to Version 1.2 obsoleting the "versions" directive; adapt it also for other ports)
regards
hede
More information about the users
mailing list