# Please edit system and help pages ONLY in the master wiki! ## For more information, please see MoinMoin:MoinDev/Translation. ## IMPORTANT NOTE: ## When you use this page as a template for creating your project page: ## * please remove all lines starting with two hashes (##) ## * except the acl line, please keep that, but remove one hash, so it reads #acl ... ## * fix the acl line so it has the correct page instead of the sample Project/...Group ##acl Project/AdminGroup:admin,read,write,delete,revert Project/ReadWriteGroup:read,write Project/ReadGroup:read ##master-page:Unknown-Page ##master-date:Unknown-Date #format wiki #language en = SSL/TLS cipher Tips = 1. https サーバ確認サイト (https、cert, cipher) https://www.ssllabs.com/ssltest/analyze.html https://ssl-tools.net 2. smtp (starttls) サーバ確認サイト https://ssl-tools.net/ http://www.checktls.com/ 3. Postfix STARTTLS (smtp/smtpd)設定解説 https://netlab1.net/long-term/POSIX-email-TLSv1.2.pdf /etc/postfix/main.cf 中でのcipher指定のsample {{{ smtp_tls_exclude_ciphers = NULL, aNULL, eNULL, RC4, DES, DES+MD5, EXPORT, LOW, EXP-EDH-RSA-DES-CBC-SHA,EXP-DES-CBC-SHA, EXP-RC2-CBC-MD5, ECDHE-RSA-DES-CBC4-SHA, EDH-RSA-DES-CBC3-SHA, DES-CBC3-SHA, 3DES, IDEA }}} (参考) 米国連邦政府機関(.gov ドメイン)では 2018年10月よりemailには STARTTLS, SPF, DKIM, DMARCの使用が義務化された [[https://cyber.dhs.gov/assets/report/bod-18-01.pdf|Enhance Email and Web Security (DHS 16 Oct 2017) ]] [[https://www.globalcyberalliance.org/all-federal-agencies-have-less-than-90-days-to-secure-gov-email/|All Federal Agencies Have Less Than 90 Days To Secure .Gov Email (July 16, 2018) ]] 4. Dovecot 設定解説 https://wiki.dovecot.org/SSL/DovecotConfiguration https://www.openssl.org/docs/manmaster/man1/ciphers.html /etc/dovecot/conf.d/10-ssl.conf での設定例 {{{ ssl_cipher_list = ALL:!3DES:!RC4:!LOW:!SSLv2:!EXP:!aNULL:!IDEA ssl_protocols = !SSLv2 !SSLv3 !TLSv1 !TLSv1.1 }}} 5. Mozilla SSL Configuration Generator https://mozilla.github.io/server-side-tls/ssl-config-generator/ 6. 確認コマンド TLS protocal,cipher 表示、セキュリティ強度確認 {{{ nmap -v -p443 --script ssl-enum-ciphers hostname nmap -v -p25 --script ssl-enum-ciphers hostname nmap -v -p110 --script ssl-enum-ciphers hostname nmap -v -p143 --script ssl-enum-ciphers hostname nmap -v -p465 --script ssl-enum-ciphers hostname nmap -v -p587 --script ssl-enum-ciphers hostname nmap -v -p993 --script ssl-enum-ciphers hostname nmap -v -p995 --script ssl-enum-ciphers hostname }}} etc. nmapは最新の Nmap version 7.80-1 ( https://nmap.org )を使用すること 上記の結果に warnings: が出た場合は(以下、例) {{{ warnings: | 64-bit block cipher 3DES vulnerable to SWEET32 attack | Broken cipher RC4 is deprecated by RFC 7465 | Ciphersuite uses MD5 for message integrity }}} warnings: が出なくなるように修正すること。 7. SSL証明書表示 {{{ openssl s_client -connect hostname:443 -showcerts openssl s_client -connect hostname:25 -showcerts openssl s_client -connect hostname:465 -showcerts openssl s_client -connect hostname:993 -showcerts openssl s_client -connect hostname:995 -showcerts }}} 8. SSL証明書表示 (TLS version指定) {{{ openssl s_client -connect hostname:443 -crlf -ssl3 openssl s_client -connect hostname:443 -crlf -tls1 openssl s_client -connect hostname:443 -crlf -tls1_1 openssl s_client -connect hostname:443 -crlf -tls1_2 openssl s_client -connect hostname:443 -crlf -tls1_3 }}} (注)SSLv3はすでに使用停止。TLSv1, TLSv1.1は2020年上半期より使用停止。 [[https://ssl.sakura.ad.jp/column/tls-invalidation/|ついにTLS 1.0/1.1の無効化が決定!影響や確認・対応方法とは?]] [[https://www.itmedia.co.jp/enterprise/articles/1810/16/news077.html|大手4社のWebブラウザ、2020年にTLS 1.0と1.1を無効化]]