On the /nodeworx/ssl, the addition of the ciphersuite was great, but I think to give even more control being able to adjust the SSLProtocol as well would be useful. Probably makes sense to make those checkboxes, highlight that using anything less than TLSv1 is not secure. Maybe an override notification when checking that.
Another useful feature would be when using signed certificate, having a box for the chain. I realize it’s kind of pointless because that can all be put in with the certificate, but I think it would be good for the UI and kind of remind user (like myself, I missed it at first) that they need to add the chain certificate here.
HI Justin
Many thanks, and sorry if I am not understanding, but you can adjust the ciphers/protocol used, ie :SSLv3! should stop the cipher/protocol for SSLv3, and to be honest, no one should be using SSL at all now, just TLS, but this can cause confusion to new users, where they see SSL and not TLS.
Also, sorry, I am sure I not fully understanding, but please see pic, taken from Nodeworx, SSL, and it clearly states to add any chains to cert
Sorry if I have misunderstood
Many thanks
John
I’m talking specifically about the SSLProtocol, not the SSLCipherSuite.
I ran into an issue that I didn’t realize that I basically had turned off all but TLSv1.2 for HTTP by accident. I had done !TLSv1 in ciphers as a test. But for some reason this took out all but TLSv1.2.
So changing the protocols around to the following specifically states what protocols
SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
So I’m saying to give this an option in addition to the ciphers.
I did notice that SMTP doesn’t seem to have the SSLProtocol setup like IMAP, POP, and Web. That one looks like it’s pure Ciphers or I’m just not finding the correct config file.
Hi Justin
Many thanks, and I like your idea of setting TLS (I do not think SSLv3 is needed, as this shuold not be used)
The file for tls is as follows for SMTP-TLS
/var/qmail/control/tlsserverciphers
Many thanks
John
Yes, and that file lines up to the ciphers set in NodeWorx SSL, but don’t see any SSLProtocol for SMTP in that file. So looks like this one is Cipher only. But all the other NodeWorx SSL settings could use SSLProtocol and SSLCipherSuite.
Sorry, I thought smtp worked differently to pop/imap as it is not protocol driven.
The starttls upgrades the smtp to TLS, and I thought the ciphers were negotiated between client and server, but if only TLS 1.1/2 ciphers available, that’s all that could be used or a termination of connection if none can be negotiated
You’re right. STARTTLS is used on STMP. It can also be used for POP/IMAP, but Interworx currently doesn’t support this.
Yes, that’s how it works. If you block TLSv1 and a client doesn’t have access to TLSv1.1 or TLSv1.2 then it will not connect.
The only thing I was saying is for POP/IMAP there is two similar, but different, settings: SSLProtocol and SSLCipherSuite
They overlap somewhat as I believe you can do !TLSv1 in the SSLCipherSuite and it will turn off TLSv1, even if it’s in enabled in the SSLProtocol.
SSLProtocol -all TLSv1 TLSv1.1 TLSv1.2
SSLCipherSuite {all your ciphers go here}:!TLSv1
I believe in this scenario if someone tries to connect using TLSv1, it will fail.
So I’ve started just setting the SSL/TLS protocols in the SSLProtocol setting and leaving the ciphers to the SSLCipherSuite.
