10-ssl.conf
· 218 B · Text
Raw
# this is a dovecot config snippet, inclide me into /etc/dovecot/local.conf
# SSL protocols to use
ssl_protocols = !SSLv2 !SSLv3
# for checking that service
openssl s_client -connect <hostname>:143 -starttls imap -ssl3
| 1 | # this is a dovecot config snippet, inclide me into /etc/dovecot/local.conf |
| 2 | # SSL protocols to use |
| 3 | ssl_protocols = !SSLv2 !SSLv3 |
| 4 | # for checking that service |
| 5 | openssl s_client -connect <hostname>:143 -starttls imap -ssl3 |
fix_apache2.sh
· 409 B · Bash
Raw
#!/bin/sh
if [ "$(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then
if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then
cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf
<IfModule mod_ssl.c>
SSLProtocol all -SSLv2 -SSLv3
</IfModule>
EOF
/etc/init.d/apache2 restart
fi
fi
exit 0
# for checking that service
testssl.sh --poodle <vHost> | grep POODLE
| 1 | #!/bin/sh |
| 2 | if [ "$(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##")" == "apache2" ]; then |
| 3 | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then |
| 4 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf |
| 5 | <IfModule mod_ssl.c> |
| 6 | SSLProtocol all -SSLv2 -SSLv3 |
| 7 | </IfModule> |
| 8 | EOF |
| 9 | /etc/init.d/apache2 restart |
| 10 | fi |
| 11 | fi |
| 12 | exit 0 |
| 13 | # for checking that service |
| 14 | testssl.sh --poodle <vHost> | grep POODLE |
haproxy.conf
· 198 B · Text
Raw
# this is a haproxy config snippet, include me into /etc/haproxy/haproxy.conf
bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3
# for checking that service
testssl.sh --poodle <vHost> | grep POODLE
| 1 | # this is a haproxy config snippet, include me into /etc/haproxy/haproxy.conf |
| 2 | bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 |
| 3 | # for checking that service |
| 4 | testssl.sh --poodle <vHost> | grep POODLE |
| 1 | # this is a courier-imapd config, include me into /etc/courier/imapd-ssl |
| 2 | # ensure that all SSL* variants are removed |
| 3 | TLS_PROTOCOL=TLS1 |
| 4 | # for checking that service |
| 5 | nmap --script ssl-enum-ciphers -p 993 <hostname> | grep SSLv |
main.cf
· 315 B · CFEngine3
Raw
# this is a postfix config snippet, include me into /etc/postfix/main.cf
smtp_tls_protocols=!SSLv2,!SSLv3
smtp_tls_mandatory_protocols=!SSLv2,!SSLv3
smtpd_tls_protocols=!SSLv2,!SSLv3
smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3
# for checking that service
openssl s_client -connect <hostname>:25 -starttls smtp -ssl3
| 1 | # this is a postfix config snippet, include me into /etc/postfix/main.cf |
| 2 | smtp_tls_protocols=!SSLv2,!SSLv3 |
| 3 | smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 |
| 4 | smtpd_tls_protocols=!SSLv2,!SSLv3 |
| 5 | smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 |
| 6 | # for checking that service |
| 7 | openssl s_client -connect <hostname>:25 -starttls smtp -ssl3 |
| 1 | # this is a nginx config snippet, put me into /etc/nginx/conf.d |
| 2 | ssl_session_cache shared:SSL:10m; |
| 3 | ssl_session_timeout 10m; |
| 4 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; |
| 5 | # for checking that service |
| 6 | testssl.sh --poodle <vHost> | grep POODLE |