Differences between revisions 1 and 3 (spanning 2 versions)
|
Size: 2785
Comment:
|
Size: 3149
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| Line 55: | Line 54: |
| TLS protocal,vcipher 表示 | TLS protocal,cipher 表示、セキュリティレベル確認 |
| Line 68: | Line 67: |
| nmapは最新の Nmap version 7.80-1 ( https://nmap.org )を使用 | nmapは最新の Nmap version 7.80-1 ( https://nmap.org )を使用すること 上記の結果にWarnings: が出た場合は(以下、例) {{{ warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity }}} Warnings:が出なくなるように修正すること。 |
SSL/TLS-cipher-Tips
1. https サーバ確認サイト (https、cert, cipher)
https://www.ssllabs.com/ssltest/analyze.html
2. smtp (starttls) サーバ確認サイト
3. Postfix STARTTLS (smtp/smtpd)設定解説
https://netlab1.net/long-term/POSIX-email-TLSv1.2.pdf
smtp_tls_exclude_ciphers = NULL, aNULL, eNULL, RC4, DES, DES+MD5, EXPORT, LOW, EXP-EDH-RSA-DES-CBC-SHA,EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, ECDHE-RSA-DES-CBC4-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, 3DES, IDEA
4. Dovecot 設定解説
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://www.openssl.org/docs/manmaster/man1/ciphers.html
ssl_cipher_list = ALL:!3DES:!RC4:!LOW:!SSLv2:!EXP:!aNULL:!IDEA ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
5. Mozilla SSL Configuration Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
6. 確認コマンド
TLS protocal,cipher 表示、セキュリティレベル確認
nmap -v -p443 --script ssl-enum-ciphers hostname nmap -v -p25 --script ssl-enum-ciphers hostname nmap -v -p110 --script ssl-enum-ciphers hostname nmap -v -p143 --script ssl-enum-ciphers hostname nmap -v -p465 --script ssl-enum-ciphers hostname nmap -v -p587 --script ssl-enum-ciphers hostname nmap -v -p993 --script ssl-enum-ciphers hostname nmap -v -p995 --script ssl-enum-ciphers hostname
etc.
nmapは最新の Nmap version 7.80-1 ( https://nmap.org )を使用すること
上記の結果にWarnings: が出た場合は(以下、例)
warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity
Warnings:が出なくなるように修正すること。
7. SSL証明書表示
openssl s_client -connect hostname:443 -showcerts openssl s_client -connect hostname:25 -showcerts openssl s_client -connect hostname:465 -showcerts openssl s_client -connect hostname:993 -showcerts openssl s_client -connect hostname:995 -showcerts
8. SSL証明書表示 (TLS version指定)
openssl s_client -connect hostname:443 -crlf -ssl3 openssl s_client -connect hostname:443 -crlf -tls1 openssl s_client -connect hostname:443 -crlf -tls1_1 openssl s_client -connect hostname:443 -crlf -tls1_2 openssl s_client -connect hostname:443 -crlf -tls1_3