waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 6 insertions, 3 deletions
fix_apache2.sh
| @@ -1,11 +1,14 @@ | |||
| 1 | 1 | #!/bin/sh | |
| 2 | - | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") = "apache2" ]; then if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 3 | - | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 2 | + | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") = "apache2" ]; then | |
| 3 | + | if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 4 | + | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 4 | 5 | <IfModule mod_ssl.c> | |
| 5 | 6 | SSLProtocol all -SSLv2 -SSLv3 | |
| 6 | 7 | </IfModule> | |
| 7 | 8 | EOF | |
| 8 | - | /etc/init.d/apache2 restart; fi; fi | |
| 9 | + | /etc/init.d/apache2 restart | |
| 10 | + | fi | |
| 11 | + | fi | |
| 9 | 12 | exit 0 | |
| 10 | 13 | # for checking that service | |
| 11 | 14 | testssl.sh --poodle <vHost> | grep POODLE | |
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 2 insertions
fix_apache2.sh
| @@ -1,3 +1,4 @@ | |||
| 1 | + | #!/bin/sh | |
| 1 | 2 | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") = "apache2" ]; then if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 2 | 3 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 3 | 4 | <IfModule mod_ssl.c> | |
| @@ -5,5 +6,6 @@ SSLProtocol all -SSLv2 -SSLv3 | |||
| 5 | 6 | </IfModule> | |
| 6 | 7 | EOF | |
| 7 | 8 | /etc/init.d/apache2 restart; fi; fi | |
| 9 | + | exit 0 | |
| 8 | 10 | # for checking that service | |
| 9 | 11 | testssl.sh --poodle <vHost> | grep POODLE | |
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 2 insertions, 1 deletion
fix_apache2.sh
| @@ -1,8 +1,9 @@ | |||
| 1 | + | if [ $(netstat -tapn | grep :443 | awk {'print $7'} | sed "s#^[0-9]*/##") = "apache2" ]; then if [ ! -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then | |
| 1 | 2 | cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |
| 2 | 3 | <IfModule mod_ssl.c> | |
| 3 | 4 | SSLProtocol all -SSLv2 -SSLv3 | |
| 4 | 5 | </IfModule> | |
| 5 | 6 | EOF | |
| 6 | - | /etc/init.d/apache2 restart | |
| 7 | + | /etc/init.d/apache2 restart; fi; fi | |
| 7 | 8 | # for checking that service | |
| 8 | 9 | testssl.sh --poodle <vHost> | grep POODLE | |
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 5 insertions
imapd-ssl(檔案已創建)
| @@ -0,0 +1,5 @@ | |||
| 1 | + | # this is a courier-imapd config, include me into /etc/courier/imapd-ssl | |
| 2 | + | # ensure that all SSL* variants are removed | |
| 3 | + | TLS_PROTOCOL=TLS1 | |
| 4 | + | # for checking that service | |
| 5 | + | nmap --script ssl-enum-ciphers -p 993 <hostname> | grep SSLv | |
waja 已修改 11 years ago. 還原成這個修訂版本
5 files changed, 16 insertions, 5 deletions
10-ssl.conf
| @@ -1,2 +1,5 @@ | |||
| 1 | + | # this is a dovecot config snippet, inclide me into /etc/dovecot/local.conf | |
| 1 | 2 | # SSL protocols to use | |
| 2 | - | ssl_protocols = !SSLv2 !SSLv3 | |
| 3 | + | ssl_protocols = !SSLv2 !SSLv3 | |
| 4 | + | # for checking that service | |
| 5 | + | openssl s_client -connect <hostname>:143 -starttls imap -ssl3 | |
fix_apache2.sh
| @@ -3,4 +3,6 @@ cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf | |||
| 3 | 3 | SSLProtocol all -SSLv2 -SSLv3 | |
| 4 | 4 | </IfModule> | |
| 5 | 5 | EOF | |
| 6 | - | /etc/init.d/apache2 restart | |
| 6 | + | /etc/init.d/apache2 restart | |
| 7 | + | # for checking that service | |
| 8 | + | testssl.sh --poodle <vHost> | grep POODLE | |
haproxy.conf
| @@ -1,2 +1,4 @@ | |||
| 1 | 1 | # this is a haproxy config snippet, include me into /etc/haproxy/haproxy.conf | |
| 2 | - | bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 | |
| 2 | + | bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 | |
| 3 | + | # for checking that service | |
| 4 | + | testssl.sh --poodle <vHost> | grep POODLE | |
main.cf
| @@ -2,4 +2,6 @@ | |||
| 2 | 2 | smtp_tls_protocols=!SSLv2,!SSLv3 | |
| 3 | 3 | smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 | |
| 4 | 4 | smtpd_tls_protocols=!SSLv2,!SSLv3 | |
| 5 | - | smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 | |
| 5 | + | smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 | |
| 6 | + | # for checking that service | |
| 7 | + | openssl s_client -connect <hostname>:25 -starttls smtp -ssl3 | |
ssl.conf
| @@ -1,4 +1,6 @@ | |||
| 1 | 1 | # this is a nginx config snippet, put me into /etc/nginx/conf.d | |
| 2 | 2 | ssl_session_cache shared:SSL:10m; | |
| 3 | 3 | ssl_session_timeout 10m; | |
| 4 | - | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 4 | + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
| 5 | + | # for checking that service | |
| 6 | + | testssl.sh --poodle <vHost> | grep POODLE | |
waja 已修改 11 years ago. 還原成這個修訂版本
3 files changed, 3 insertions
haproxy.conf
| @@ -1 +1,2 @@ | |||
| 1 | + | # this is a haproxy config snippet, include me into /etc/haproxy/haproxy.conf | |
| 1 | 2 | bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 | |
main.cf
| @@ -1,3 +1,4 @@ | |||
| 1 | + | # this is a postfix config snippet, include me into /etc/postfix/main.cf | |
| 1 | 2 | smtp_tls_protocols=!SSLv2,!SSLv3 | |
| 2 | 3 | smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 | |
| 3 | 4 | smtpd_tls_protocols=!SSLv2,!SSLv3 | |
ssl.conf
| @@ -1,3 +1,4 @@ | |||
| 1 | + | # this is a nginx config snippet, put me into /etc/nginx/conf.d | |
| 1 | 2 | ssl_session_cache shared:SSL:10m; | |
| 2 | 3 | ssl_session_timeout 10m; | |
| 3 | 4 | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
waja 已修改 11 years ago. 還原成這個修訂版本
沒有任何變更
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 1 insertion
haproxy.conf(檔案已創建)
| @@ -0,0 +1 @@ | |||
| 1 | + | bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 | |
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 3 insertions
ssl.conf(檔案已創建)
| @@ -0,0 +1,3 @@ | |||
| 1 | + | ssl_session_cache shared:SSL:10m; | |
| 2 | + | ssl_session_timeout 10m; | |
| 3 | + | ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | |
waja 已修改 11 years ago. 還原成這個修訂版本
1 file changed, 2 insertions
10-ssl.conf(檔案已創建)
| @@ -0,0 +1,2 @@ | |||
| 1 | + | # SSL protocols to use | |
| 2 | + | ssl_protocols = !SSLv2 !SSLv3 | |