Opened 3 years ago

Closed 3 years ago

#2626 closed task (fixed)

OSGeo6 security remediation

Reported by: robe Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2021-II
Component: SysAdmin Keywords:
Cc:

Description

Disable TLSV1 for http, https, smtp, postfix Disable SWEET32 cyper suite for https, http Disable use of JQuery 1.2 (this may be harder as I'm not sure what is using it. At anyrate needs to be upgrade to 3.5 or later

valid cert for mail, post-fix and disable weak hashing algorithms

Change History (2)

comment:1 by robe, 3 years ago

to remedy:

1) was pointing at doc.geotools.org -- setup a fake site to show "Nothing here" as the default

And setup to get a letsencrpt cert for osgeo6.osgeo.osuosl.org

2) Mail was using expired wildcard cert -- changed to use the letsencrypt one for lists.osgeo.org by editing

/etc/postfix/main.cf and also updated cypers 

#smtpd_tls_exclude_ciphers = aNULL, eNULL, EXPORT, DES, RC4, MD5, PSK, aECDH, EDH-DSS-DES-CBC3-SHA, EDH-RSA-DES-CDC3-SHA, KRB5-DE5, CBC3-SHA
smtp_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2
smtpd_tls_exclude_ciphers = EXP, MEDIUM, LOW, DES, 3DES, SSLv2

tls_high_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!RC4:!MD5:!DES:!EXP:!SEED:!IDEA:!3D$
tls_medium_cipherlist = kEECDH:+kEECDH+SHA:kEDH:+kEDH+SHA:+kEDH+CAMELLIA:kECDH:+kECDH+SHA:kRSA:+kRSA+SHA:+kRSA+CAMELLIA:!aNULL:!eNULL:!SSLv2:!MD5:!DES:!EXP:!SEED:!IDEA:!3DES

systemctl restart postfix

comment:2 by robe, 3 years ago

Resolution: fixed
Status: newclosed
Note: See TracTickets for help on using tickets.