#2644 closed task (fixed)
Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7
| Reported by: | robe | Owned by: | |
|---|---|---|---|
| Priority: | normal | Milestone: | Sysadmin Contract 2021-II |
| Component: | SysAdmin | Keywords: | |
| Cc: |
Description
Per nessus report TLS 1.0 is still enabled on osgeo4, osgeo6, and osgeo7. I thought I had disabled these a couple of months ago but guess not.
Change History (3)
comment:2 by , 3 years ago
Done for osgeo3, and confirmed with
nmap --script ssl-enum-ciphers -p 443 geos.osgeo.org
Done for osgeo7, and confirmed with
nmap --script ssl-enum-ciphers -p 443 trac.osgeo.org nmap --script ssl-enum-ciphers -p 443 secure.osgeo.osuosl.org
comment:3 by , 3 years ago
| Resolution: | → fixed |
|---|---|
| Status: | new → closed |
osgeo6 the https port doesn't allow TLSV1 but the SMTP ports do, so had to change
/etc/postfix/main.cf
and then
systemctl restart postfix
had to add these lines
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1 smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1 smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1 smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
confirmed with
nmap --script ssl-enum-ciphers -p 587 osgeo6.osgeo.osuosl.org nmap --script ssl-enum-ciphers -p 25 osgeo6.osgeo.osuosl.org nmap --script ssl-enum-ciphers -p 465 osgeo6.osgeo.osuosl.org #didn't come back with ciphers, just said it was up so don't know
Note:
See TracTickets
for help on using tickets.
Okay I had turned it off in /etc/nginx/nginx.conf
Issue was letsencrypt was overriding the setting in nginx.conf. So had to turn it off here too:
nano /etc/letsencrypt/options-ssl-nginx.confAfter that change I reran:
and then testing with nmap again
Shows no more TLSv1. Though it doesn't show the TLSv1.3 I added either but oh well.
I've only done for osgeo4. I'll repeat for osgeo6, osgeo3, and osgeo7