How-To comply EFA with TLS Guidelines

Questions and answers about how to do stuff
Post Reply
Justin
Posts: 111
Joined: 18 Sep 2014 13:00
Location: The Netherlands
Contact:

How-To comply EFA with TLS Guidelines

Post by Justin »

Updated 17-09-2021

Comply EFA to IT Security Guidelines for Transport Layer Security (TLS) v2.1

This list contains the following in order to comply to the "IT Security Guidelines for Transport Layer Security (TLS) v2.1"
You can check your score/setting on https://en.internet.nl/. Enter your domain into Test your email to check it out.

Small note: This is completely based on my CentOS 7 EFA hosts so CentOS 8, which includes TLS 1.3, could have extra options/ciphers.

----------------------------------------------------------------------
----------------------------------------------------------------------

TLS version:

Code: Select all

Good: TLS 1.3 (not officialy supported on CentOS 7)
Sufficient: TLS 1.2
Phase out: TLS 1.1 and 1.0
Insufficient: SSL 3.0, 2.0 and 1.0
Settings for postfix in order to comply:
nano /etc/postfix/main.cf

change the following settings:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1

Settings for apache/httpd in order to comply:
nano /etc/httpd/conf.d/ssl.conf

change the following settings !inside! <VirtualHost _default_:443>:
#SSLProtocol all SSLv2 -SSLv3
SSLProtocol -all +TLSv1.2
#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -all +TLSv1.2

----------------------------------------------------------------------
----------------------------------------------------------------------

Ciphers:

Code: Select all

Good:
ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-ECDSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-RSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]

Sufficient:
ECDHE-ECDSA-AES256-SHA384 [1.2]
ECDHE-ECDSA-AES256-SHA [1.0]
ECDHE-ECDSA-AES128-SHA256 [1.2]
ECDHE-ECDSA-AES128-SHA [1.0]
ECDHE-RSA-AES256-SHA384 [1.2]
ECDHE-RSA-AES256-SHA [1.0]
ECDHE-RSA-AES128-SHA256 [1.2]
ECDHE-RSA-AES128-SHA [1.0]
DHE-RSA-AES256-GCM-SHA384 [1.2]
DHE-RSA-CHACHA20-POLY1305 [1.2]
DHE-RSA-AES128-GCM-SHA256 [1.2]
DHE-RSA-AES256-SHA256 [1.2]
DHE-RSA-AES256-SHA [1.0]
DHE-RSA-AES128-SHA256 [1.2]
DHE-RSA-AES128-SHA [1.0]
Settings for postfix in order to comply:
nano /etc/postfix/main.cf

change the following settings:
#tls_preempt_cipherlist = yes
tls_preempt_cipherlist = no
#tls_medium_cipherlist = "current settings"
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Settings for apache/httpd in order to comply:
nano /etc/httpd/conf.modules.d/00-base.conf

enable the following settings:
LoadModule headers_module modules/mod_headers.so (remove the # in front of it)

Settings for apache/httpd in order to comply - part 2:
curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/pki/tls/certs/ffdhe4096.pem
nano /etc/httpd/conf.d/ssl.conf

change/add the following settings !above! <VirtualHost _default_:443>:
Protocols h2 http/1.1
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'"
Header always set Content-Security-Policy "img-src *"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
SSLUseStapling On
SSLStaplingCache "shmcb:ssl_stapling(32768)"
SSLHonorCipherOrder on
SSLInsecureRenegotiation off
SSLCompression off
SSLSessionTickets off
SSLOpenSSLConfCmd DHParameters /etc/pki/tls/certs/ffdhe4096.pem

change/add the following settings !inside! <VirtualHost _default_:443>:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305

Settings for apache/httpd in order to comply - part 3:
nano /etc/letsencrypt/options-ssl-apache.conf

change/add the following settings:
#SSLCipherSuite "current settings"
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
#SSLHonorCipherOrder off
SSLHonorCipherOrder on

----------------------------------------------------------------------
----------------------------------------------------------------------

Cipher order:

Code: Select all

Good: On
Insufficient: Off
Settings in order to comply:
Already set when you've followed the Ciphers step (SSLHonorCipherOrder on)

----------------------------------------------------------------------
----------------------------------------------------------------------

Key Exchange parameters:

Code: Select all

Sufficient: ffdhe4096 & ffdhe3072
Phase Out: ffdhe2048
Insufficient: dh1024 (postfix default) & other groups
Settings for postfix in order to comply:
curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/postfix/ssl/ffdhe4096.pem
nano /etc/postfix/main.cf
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem

Settings for httpd in order to comply:
Already set when you've followed the Ciphers step (SSLOpenSSLConfCmd DHParameters /etc/pki/tls/certs/ffdhe4096.pem)

----------------------------------------------------------------------
----------------------------------------------------------------------

Client-initiated renegotiation:

Code: Select all

Good: Off (or N/A for TLS 1.3)
Sufficient: On
Settings in order to comply:
Already set when you've followed the Ciphers step (SSLInsecureRenegotiation off)
Post Reply