Hardening SSL/TLS

Published on Author righterLeave a comment

HTTPS with Apache 2.4.29

/etc/apache2/mods-enabled/ssl.conf


SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 512
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 512
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLPassPhraseDialog exec:/usr/share/apache2/ask-for-passphrase
SSLSessionCache shmcb:${APACHE_RUN_DIR}/ssl_scache(512000)
SSLSessionCacheTimeout 300
#SSLCipherSuite "HIGH:!aNULL:!MD5:!3DES:!CAMELLIA:!AES128"
SSLCipherSuite "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256"
SSLHonorCipherOrder on
SSLProtocol TLSv1.2
SSLUseStapling on
SSLStaplingCache shmcb:/tmp/stapling_cache(128000)
SSLCompression off
SSLOpenSSLConfCmd Curves secp384r1
SSLOpenSSLConfCmd DHParameters "/etc/ssl/private/dhparams_4096.pem"

SSLLabs Score A+ (4x 100, no warnings) https://www.ssllabs.com/ssltest/analyze.html?d=www.righter.ch&s=185.101.159.84
HTBridge A+ (1 warning becaus of no TLS 1.1 support) https://www.htbridge.com/ssl/?id=q71G0Zsc

—-

IMAPS with Dovecot 2.2.27

Needs in /etc/dovecot/dovecot.conf

ssl_dh_parameters_length = 2048
ssl_cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256"
ssl_prefer_server_ciphers = yes

HTBridge A+ (1 warning: Dovecot does not support OSCP stapling) https://www.htbridge.com/ssl/?id=7IIDgtPA

—–

SMTP with Postfix 3.1.8

/etc/postfix/main.cf

HTBridge A+

Leave a Reply

Your email address will not be published. Required fields are marked *