waja / gist:fd5fe6b55a294d0a9d1ce54a3a5d26a0

# this is a dovecot config snippet, inclide me into /etc/dovecot/local.conf # SSL protocols to use ssl_protocols = !SSLv2 !SSLv3 # for checking that service openssl s_client -connect <hostname>:143 -starttls imap -ssl3

#!/bin/sh #if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then if ! [ -f /etc/apache2/conf.d/x_disable_SSLv3.conf ]; then cat <<EOF >> /etc/apache2/conf.d/x_disable_SSLv3.conf <IfModule mod_ssl.c> SSLProtocol all -SSLv2 -SSLv3 </IfModule> EOF /etc/init.d/apache2 restart fi fi exit 0 # for checking that service testssl.sh --poodle <vHost> | grep POODLE

#!/bin/sh if [ "$(netstat -tapn | grep 'apache2' | awk {'print $7'} | sed 's#^[0-9]*/##' | tail -1 )" = "apache2" ]; then if ! [ -f /etc/apache2/conf.d/x_strong_cipherlist.conf ]; then cat <<EOF >> /etc/apache2/conf.d/x_strong_cipherlist.conf <IfModule mod_ssl.c> SSLCipherSuite AES256+EECDH:AES256+EDH SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder On <IfVersion >= 2.4> SSLCompression off # Requires Apache >= 2.4 SSLUseStapling on # Requires Apache >= 2.4 SSLStaplingCache "shmcb:logs/stapling-cache(150000)" # Requires >= Apache 2.4 </IfVersion> </IfModule> <IfModule mod_headers.c> Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains" Header always set X-Frame-Options DENY Header always set X-Content-Type-Options nosniff </IfModule> EOF /etc/init.d/apache2 restart fi fi exit 0 # for checking that service testssl.sh --poodle <vHost> | grep POODLE

# this is a haproxy config snippet, include me into /etc/haproxy/haproxy.conf bind :443 ssl crt <crt> ciphers <ciphers> no-sslv3 # for checking that service testssl.sh --poodle <vHost> | grep POODLE

# this is a courier-imapd config, include me into /etc/courier/imapd-ssl # ensure that all SSL* variants are removed TLS_PROTOCOL=TLS1 # for checking that service nmap --script ssl-enum-ciphers -p 993 <hostname> | grep SSLv

# this is a postfix config snippet, include me into /etc/postfix/main.cf smtp_tls_protocols=!SSLv2,!SSLv3 smtp_tls_mandatory_protocols=!SSLv2,!SSLv3 smtpd_tls_protocols=!SSLv2,!SSLv3 smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3 # for checking that service openssl s_client -connect <hostname>:25 -starttls smtp -ssl3

# this is a nginx config snippet, put me into /etc/nginx/conf.d ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # for checking that service testssl.sh --poodle <vHost> | grep POODLE

# this is a nginx config snippet, put me into /etc/nginx/conf.d ssl_ciphers "AES256+EECDH:AES256+EDH"; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; add_header X-Frame-Options DENY; add_header X-Content-Type-Options nosniff; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 resolver $DNS-IP-1 $DNS-IP-2 valid=300s; resolver_timeout 5s; # for checking that service testssl.sh --poodle <vHost> | grep POODLE