Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#2644 closed task (fixed)

Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7

Reported by: robe Owned by: sac@…
Priority: normal Milestone: Sysadmin Contract 2021-II
Component: SysAdmin Keywords:
Cc:

Description

Per nessus report TLS 1.0 is still enabled on osgeo4, osgeo6, and osgeo7. I thought I had disabled these a couple of months ago but guess not.

Change History (3)

comment:1 by robe, 3 years ago

Okay I had turned it off in /etc/nginx/nginx.conf

Issue was letsencrypt was overriding the setting in nginx.conf. So had to turn it off here too: nano /etc/letsencrypt/options-ssl-nginx.conf

#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;

After that change I reran:

systemctl restart nginx

and then testing with nmap again

 nmap --script ssl-enum-ciphers -p 443 osgeo4.osgeo.osuosl.org

Shows no more TLSv1. Though it doesn't show the TLSv1.3 I added either but oh well.

I've only done for osgeo4. I'll repeat for osgeo6, osgeo3, and osgeo7

Last edited 3 years ago by robe (previous) (diff)

comment:2 by robe, 3 years ago

Done for osgeo3, and confirmed with

nmap --script ssl-enum-ciphers -p 443 geos.osgeo.org

Done for osgeo7, and confirmed with

nmap --script ssl-enum-ciphers -p 443 trac.osgeo.org
nmap --script ssl-enum-ciphers -p 443 secure.osgeo.osuosl.org

comment:3 by robe, 3 years ago

Resolution: fixed
Status: newclosed

osgeo6 the https port doesn't allow TLSV1 but the SMTP ports do, so had to change

/etc/postfix/main.cf

and then

systemctl restart postfix

had to add these lines

smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols  = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols           = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols            = !SSLv2,!SSLv3,!TLSv1

confirmed with

nmap --script ssl-enum-ciphers -p 587 osgeo6.osgeo.osuosl.org
nmap --script ssl-enum-ciphers -p 25 osgeo6.osgeo.osuosl.org
nmap --script ssl-enum-ciphers -p 465 osgeo6.osgeo.osuosl.org  #didn't come back with ciphers, just said it was up so don't know
Last edited 3 years ago by robe (previous) (diff)
Note: See TracTickets for help on using tickets.