#2644: Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7
---------------------------+---------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Keywords:
---------------------------+---------------------------------------
Per nessus report TLS 1.0 is still enabled on osgeo4, osgeo6, and osgeo7.
I thought I had disabled these a couple of months ago but guess not.
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2644>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2644: Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------
Comment (by robe):
Okay I had turned it off in /etc/nginx/nginx.conf
Issue was letsencrypt was overriding the setting in nginx.conf. So had to
turn it off here too: nano /etc/letsencrypt/options-ssl-nginx.conf
{{{
#ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_protocols TLSv1.1 TLSv1.2 TLSv1.3;
}}}
After that change I reran:
{{{
systemctl restart nginx
}}}
and then testing with nmap again
{{{
nmap --script ssl-enum-ciphers -p 443 osgeo4.osgeo.osuosl.org
}}}
Shows no more TLSv1. Though it doesn't show the TLSv1.3 I added either
but oh well.
I've only done for osgeo4. I'll repeat for osgeo6, osgeo3, and osgeo7
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2644#comment:1>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2644: Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: new
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution:
Keywords: |
---------------------------+----------------------------------------
Comment (by robe):
Done for osgeo3, and confirmed with
{{{
nmap --script ssl-enum-ciphers -p 443 geos.osgeo.org
}}}
Done for osgeo7, and confirmed with
{{{
nmap --script ssl-enum-ciphers -p 443 trac.osgeo.org
nmap --script ssl-enum-ciphers -p 443 secure.osgeo.osuosl.org
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2644#comment:2>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.
#2644: Disable TLS 1.0 on osgeo3, osgeo4, osgeo6, osgeo7
---------------------------+----------------------------------------
Reporter: robe | Owner: sac@…
Type: task | Status: closed
Priority: normal | Milestone: Sysadmin Contract 2021-II
Component: Systems Admin | Resolution: fixed
Keywords: |
---------------------------+----------------------------------------
Changes (by robe):
* status: new => closed
* resolution: => fixed
Comment:
osgeo6 the https port doesn't allow TLSV1 but the SMTP ports do, so had to
change
/etc/postfix/main.cf
had to add these lines
{{{
smtpd_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_mandatory_protocols = !SSLv2,!SSLv3,!TLSv1
smtpd_tls_protocols = !SSLv2,!SSLv3,!TLSv1
smtp_tls_protocols = !SSLv2,!SSLv3,!TLSv1
}}}
confirmed with
{{{
nmap --script ssl-enum-ciphers -p 587 osgeo6.osgeo.osuosl.org
nmap --script ssl-enum-ciphers -p 25 osgeo6.osgeo.osuosl.org
nmap --script ssl-enum-ciphers -p 465 osgeo6.osgeo.osuosl.org #didn't
come back with ciphers, just said it was up so don't know
}}}
--
Ticket URL: <https://trac.osgeo.org/osgeo/ticket/2644#comment:3>
OSGeo <https://osgeo.org/>
OSGeo committee and general foundation issue tracker.