|
Size: 4087
Comment:
|
← Revision 20 as of 2021-05-28 10:42:53 ⇥
Size: 4087
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 14: | Line 14: |
| = SSL/TLS-cipher-Tips = | = SSL/TLS cipher Tips = |
SSL/TLS cipher Tips
1. https サーバ確認サイト (https、cert, cipher)
https://www.ssllabs.com/ssltest/analyze.html
2. smtp (starttls) サーバ確認サイト
3. Postfix STARTTLS (smtp/smtpd)設定解説
https://netlab1.net/long-term/POSIX-email-TLSv1.2.pdf
/etc/postfix/main.cf 中でのcipher指定のsample
smtp_tls_exclude_ciphers = NULL, aNULL, eNULL, RC4, DES, DES+MD5, EXPORT, LOW, EXP-EDH-RSA-DES-CBC-SHA,EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, ECDHE-RSA-DES-CBC4-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, 3DES, IDEA
(参考) 米国連邦政府機関(.gov ドメイン)では 2018年10月よりemailには STARTTLS, SPF, DKIM, DMARCの使用が義務化された
Enhance Email and Web Security (DHS 16 Oct 2017)
All Federal Agencies Have Less Than 90 Days To Secure .Gov Email (July 16, 2018)
4. Dovecot 設定解説
https://wiki.dovecot.org/SSL/DovecotConfiguration
https://www.openssl.org/docs/manmaster/man1/ciphers.html
/etc/dovecot/conf.d/10-ssl.conf での設定例
ssl_cipher_list = ALL:!3DES:!RC4:!LOW:!SSLv2:!EXP:!aNULL:!IDEA ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1
5. Mozilla SSL Configuration Generator
https://mozilla.github.io/server-side-tls/ssl-config-generator/
6. 確認コマンド
TLS protocal,cipher 表示、セキュリティ強度確認
nmap -v -p443 --script ssl-enum-ciphers hostname nmap -v -p25 --script ssl-enum-ciphers hostname nmap -v -p110 --script ssl-enum-ciphers hostname nmap -v -p143 --script ssl-enum-ciphers hostname nmap -v -p465 --script ssl-enum-ciphers hostname nmap -v -p587 --script ssl-enum-ciphers hostname nmap -v -p993 --script ssl-enum-ciphers hostname nmap -v -p995 --script ssl-enum-ciphers hostname
etc.
nmapは最新の Nmap version 7.80-1 ( https://nmap.org )を使用すること
上記の結果に warnings: が出た場合は(以下、例)
warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity
warnings: が出なくなるように修正すること。
7. SSL証明書表示
openssl s_client -connect hostname:443 -showcerts openssl s_client -connect hostname:25 -showcerts openssl s_client -connect hostname:465 -showcerts openssl s_client -connect hostname:993 -showcerts openssl s_client -connect hostname:995 -showcerts
8. SSL証明書表示 (TLS version指定)
openssl s_client -connect hostname:443 -crlf -ssl3 openssl s_client -connect hostname:443 -crlf -tls1 openssl s_client -connect hostname:443 -crlf -tls1_1 openssl s_client -connect hostname:443 -crlf -tls1_2 openssl s_client -connect hostname:443 -crlf -tls1_3
(注)SSLv3はすでに使用停止。TLSv1, TLSv1.1は2020年上半期より使用停止。