Comply EFA to IT Security Guidelines for Transport Layer Security (TLS) v2.1
This list contains the following in order to comply to the "IT Security Guidelines for Transport Layer Security (TLS) v2.1"
You can check your score/setting on https://en.internet.nl/. Enter your domain into Test your email to check it out.
Small note: This is completely based on my CentOS 7 EFA hosts so CentOS 8, which includes TLS 1.3, could have extra options/ciphers.
----------------------------------------------------------------------
----------------------------------------------------------------------
TLS version:
Code: Select all
Good: TLS 1.3 (not officialy supported on CentOS 7)
Sufficient: TLS 1.2
Phase out: TLS 1.1 and 1.0
Insufficient: SSL 3.0, 2.0 and 1.0
nano /etc/postfix/main.cf
change the following settings:
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1,!TLSv1.1
#smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
Settings for apache/httpd in order to comply:
nano /etc/httpd/conf.d/ssl.conf
change the following settings !inside! <VirtualHost _default_:443>:
#SSLProtocol all SSLv2 -SSLv3
SSLProtocol -all +TLSv1.2
#SSLProxyProtocol all -SSLv3
SSLProxyProtocol -all +TLSv1.2
----------------------------------------------------------------------
----------------------------------------------------------------------
Ciphers:
Code: Select all
Good:
ECDHE-ECDSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-ECDSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-ECDSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES256-GCM-SHA384 (TLS_AES_256_GCM_SHA384 in 1.3) [1.2]
ECDHE-RSA-CHACHA20-POLY1305 (TLS_CHACHA20_POLY1305_SHA256 in 1.3) [1.2]
ECDHE-RSA-AES128-GCM-SHA256 (TLS_AES_128_GCM_SHA256 in 1.3) [1.2]
Sufficient:
ECDHE-ECDSA-AES256-SHA384 [1.2]
ECDHE-ECDSA-AES256-SHA [1.0]
ECDHE-ECDSA-AES128-SHA256 [1.2]
ECDHE-ECDSA-AES128-SHA [1.0]
ECDHE-RSA-AES256-SHA384 [1.2]
ECDHE-RSA-AES256-SHA [1.0]
ECDHE-RSA-AES128-SHA256 [1.2]
ECDHE-RSA-AES128-SHA [1.0]
DHE-RSA-AES256-GCM-SHA384 [1.2]
DHE-RSA-CHACHA20-POLY1305 [1.2]
DHE-RSA-AES128-GCM-SHA256 [1.2]
DHE-RSA-AES256-SHA256 [1.2]
DHE-RSA-AES256-SHA [1.0]
DHE-RSA-AES128-SHA256 [1.2]
DHE-RSA-AES128-SHA [1.0]
nano /etc/postfix/main.cf
change the following settings:
#tls_preempt_cipherlist = yes
tls_preempt_cipherlist = no
#tls_medium_cipherlist = "current settings"
tls_medium_cipherlist = ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Settings for apache/httpd in order to comply:
nano /etc/httpd/conf.modules.d/00-base.conf
enable the following settings:
LoadModule headers_module modules/mod_headers.so (remove the # in front of it)
Settings for apache/httpd in order to comply - part 2:
curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/pki/tls/certs/ffdhe4096.pem
nano /etc/httpd/conf.d/ssl.conf
change/add the following settings !above! <VirtualHost _default_:443>:
Protocols h2 http/1.1
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"
Header always set X-Content-Type-Options "nosniff"
Header always set Content-Security-Policy "default-src 'self' 'unsafe-inline'"
Header always set Content-Security-Policy "img-src *"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
SSLUseStapling On
SSLStaplingCache "shmcb:ssl_stapling(32768)"
SSLHonorCipherOrder on
SSLInsecureRenegotiation off
SSLCompression off
SSLSessionTickets off
SSLOpenSSLConfCmd DHParameters /etc/pki/tls/certs/ffdhe4096.pem
change/add the following settings !inside! <VirtualHost _default_:443>:
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
#SSLCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
#SSLProxyCipherSuite HIGH:MEDIUM:!MD5:!RC4
SSLProxyCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
Settings for apache/httpd in order to comply - part 3:
nano /etc/letsencrypt/options-ssl-apache.conf
change/add the following settings:
#SSLCipherSuite "current settings"
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305
#SSLHonorCipherOrder off
SSLHonorCipherOrder on
----------------------------------------------------------------------
----------------------------------------------------------------------
Cipher order:
Code: Select all
Good: On
Insufficient: Off
Already set when you've followed the Ciphers step (SSLHonorCipherOrder on)
----------------------------------------------------------------------
----------------------------------------------------------------------
Key Exchange parameters:
Code: Select all
Sufficient: ffdhe4096 & ffdhe3072
Phase Out: ffdhe2048
Insufficient: dh1024 (postfix default) & other groups
curl https://ssl-config.mozilla.org/ffdhe4096.txt > /etc/postfix/ssl/ffdhe4096.pem
nano /etc/postfix/main.cf
#smtpd_tls_dh1024_param_file = /etc/postfix/ssl/dhparam.pem
smtpd_tls_dh1024_param_file = /etc/postfix/ssl/ffdhe4096.pem
Settings for httpd in order to comply:
Already set when you've followed the Ciphers step (SSLOpenSSLConfCmd DHParameters /etc/pki/tls/certs/ffdhe4096.pem)
----------------------------------------------------------------------
----------------------------------------------------------------------
Client-initiated renegotiation:
Code: Select all
Good: Off (or N/A for TLS 1.3)
Sufficient: On
Already set when you've followed the Ciphers step (SSLInsecureRenegotiation off)