The :guilabel:`TLS policy` page controls how individual services configure the Transport Layer Security (TLS) protocol, by selecting a policy identifier.
If not otherwise stated, the TLS settings of policies are always cumulative: newer policies extend older ones.
Each module implementation decides how to implement a specific policy identifier, providing a trade off between security and client compatibility. Newer policies are biased towards security, whilst older ones provide better compatibility with old clients.
The following sections describe each policy identifier.
This policy disables the TLS protocol versions 1.0 and 1.1. It applies to the following services:
- Apache (httpd, httpd-admin)
- Ejabberd
- Cockpit
- Slapd (openldap-servers)
- Postfix
- Dovecot
Reference: https://access.redhat.com/articles/1462183
This policy restricts the TLS settings of the default Ejabberd configuration. It applies only to Ejabberd version 18 and greater.
- Ejabberd (XMPP)
Disabled SSLv3 and TLSv1.0
Cipher server priority
ECC certificate
Ciphers suite
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
This policy extends 2018-03-30
by adding the support for ECC certificates to
- Apache
- Dovecot
- Postfix
- Slapd (openldap-servers)
Disabled SSLv3 and TLSv1.0
Cipher suite
ECDHE:EDH:CAMELLIA:ECDH:RSA:ECDSA:!eNULL:!SSLv2:!RC4:!DES:!EXP:!SEED:!IDEA:!3DES:!ADH
The goal of this policy is to harden the cipher set provided by the default upstream policy. It is not compatible with IE 8 XP and Java 6u45 and 7u25 clients. It does not support ECC certificates.
- Apache
Cipher suite
EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
Disabled SSLv2 and SSLv3
Ignore
httpd/SSLCipherSuite
property settings (see :ref:`tlspolicy-default`)
- Dovecot
Cipher suite
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
Disabled SSLv2 and SSLv3
- Postfix
Use TLS in outbound connections, if remote server supports it
Disable SSLv2 and SSLv3 on submission ports
Cipher suite
EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:kEDH:CAMELLIA128-SHA:AES128-SHA
Exclude ciphers
aNULL:eNULL:LOW:3DES:MD5:EXP:PSK:DSS:RC4:SEED:IDEA:ECDSA
The goal of this policy is retaining upstream settings. This is the original goal since |product| 7.
This policy allows to customize httpd
(Apache) with a given cipher list, by
issuing the following commands:
config setprop httpd SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH signal-event nethserver-httpd-update