Announcement

Collapse
No announcement yet.

Feature Request: Add SSLProtocol to NodeWorx SSL Page + Certificate Import Idea

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Feature Request: Add SSLProtocol to NodeWorx SSL Page + Certificate Import Idea

    On the /nodeworx/ssl, the addition of the ciphersuite was great, but I think to give even more control being able to adjust the SSLProtocol as well would be useful. Probably makes sense to make those checkboxes, highlight that using anything less than TLSv1 is not secure. Maybe an override notification when checking that.

    Another useful feature would be when using signed certificate, having a box for the chain. I realize it's kind of pointless because that can all be put in with the certificate, but I think it would be good for the UI and kind of remind user (like myself, I missed it at first) that they need to add the chain certificate here.

  • Justec
    replied
    Originally posted by d2d4j View Post
    Sorry, I thought smtp worked differently to pop/imap as it is not protocol driven.
    You're right. STARTTLS is used on STMP. It can also be used for POP/IMAP, but Interworx currently doesn't support this.

    Originally posted by d2d4j View Post
    The starttls upgrades the smtp to TLS, and I thought the ciphers were negotiated between client and server, but if only TLS 1.1/2 ciphers available, that's all that could be used or a termination of connection if none can be negotiated
    Yes, that's how it works. If you block TLSv1 and a client doesn't have access to TLSv1.1 or TLSv1.2 then it will not connect.


    The only thing I was saying is for POP/IMAP there is two similar, but different, settings: SSLProtocol and SSLCipherSuite

    They overlap somewhat as I believe you can do !TLSv1 in the SSLCipherSuite and it will turn off TLSv1, even if it's in enabled in the SSLProtocol.



    SSLProtocol -all TLSv1 TLSv1.1 TLSv1.2
    SSLCipherSuite {all your ciphers go here}:!TLSv1

    I believe in this scenario if someone tries to connect using TLSv1, it will fail.
    So I've started just setting the SSL/TLS protocols in the SSLProtocol setting and leaving the ciphers to the SSLCipherSuite.

    Leave a comment:


  • d2d4j
    replied
    Hi Justin

    Sorry, I thought smtp worked differently to pop/imap as it is not protocol driven.

    The starttls upgrades the smtp to TLS, and I thought the ciphers were negotiated between client and server, but if only TLS 1.1/2 ciphers available, that's all that could be used or a termination of connection if none can be negotiated

    I could be wrong so apologise in advance

    Many thanks

    John

    Leave a comment:


  • Justec
    replied
    Originally posted by d2d4j View Post
    /var/qmail/control/tlsserverciphers
    Yes, and that file lines up to the ciphers set in NodeWorx SSL, but don't see any SSLProtocol for SMTP in that file. So looks like this one is Cipher only. But all the other NodeWorx SSL settings could use SSLProtocol and SSLCipherSuite.

    Leave a comment:


  • d2d4j
    replied
    Hi Justin
    Many thanks, and I like your idea of setting TLS (I do not think SSLv3 is needed, as this shuold not be used)
    The file for tls is as follows for SMTP-TLS
    /var/qmail/control/tlsserverciphers
    Many thanks
    John

    Leave a comment:


  • Justec
    replied
    I did notice that SMTP doesn't seem to have the SSLProtocol setup like IMAP, POP, and Web. That one looks like it's pure Ciphers or I'm just not finding the correct config file.

    Leave a comment:


  • Justec
    replied
    I'm talking specifically about the SSLProtocol, not the SSLCipherSuite.

    I ran into an issue that I didn't realize that I basically had turned off all but TLSv1.2 for HTTP by accident. I had done !TLSv1 in ciphers as a test. But for some reason this took out all but TLSv1.2.

    So changing the protocols around to the following specifically states what protocols
    Code:
    SSLProtocol -all +TLSv1 +TLSv1.1 +TLSv1.2
    So I'm saying to give this an option in addition to the ciphers.

    Click image for larger version

Name:	iworx-sample-ssl-page.jpg
Views:	1
Size:	37.8 KB
ID:	40624

    Leave a comment:


  • d2d4j
    replied
    HI Justin
    Many thanks, and sorry if I am not understanding, but you can adjust the ciphers/protocol used, ie :SSLv3! should stop the cipher/protocol for SSLv3, and to be honest, no one should be using SSL at all now, just TLS, but this can cause confusion to new users, where they see SSL and not TLS.
    Also, sorry, I am sure I not fully understanding, but please see pic, taken from Nodeworx, SSL, and it clearly states to add any chains to cert
    Sorry if I have misunderstood
    Many thanks
    John
    Attached Files

    Leave a comment:

Working...
X