Tag Archives: tls

Security check for postfix (STARTTLS connection)

$ openssl s_client -tls1_2 -cipher ECDHE-RSA-AES128-GCM-SHA256 -starttls smtp -verify 3 -verify_return_error -debug -CApath /etc/ssl/certs -connect

"-tls1_2" forces the TLSv1.2 protocol. Make sure protocol and cipher list match.

"-verify 3" enables server certificate verification and sets the length of the certificate chain. In this case there are 3 certificates in the certificate chain, including the root CA. Make sure the public root CA certificate is in the "-CApath" directory. "-verify_return_error" enforces the certificate verification to succeed.

The "-cipher" option specifies the list of ciphers to be transferred to the server. The server then decides which of these ciphers to use. As we only give one cipher, we force the postfix server to only use this one. If the server does not support this cipher, openssl will return with an error.

If everything goes well, you will see a long output from the server (including the protocol and cipher from your openssl command line options) and something like "Verify return code: 0 (ok)". Quit the connection with the postfix server by typing "quit" and hit return.


Security check for Apache 2.4 webserver (TLS)

You can use nmap to show what kind of ciphers your webserver is supporting.

List all supported protocols and ciphers of a webserver:
nmap --script=ssl-enum-ciphers -Pn -p 443 www.local.example

Set the following configuration options in you Apache server config:

SSLEngine on
SSLOptions +StrictRequire
SSLHonorCipherOrder on
SSLProtocol all -SSLv3

SSLRandomSeed startup builtin
SSLRandomSeed startup file:/dev/urandom 1024
SSLRandomSeed connect builtin
SSLRandomSeed connect file:/dev/urandom 1024

SSLSessionCache "shmcb:/..."   (requires mod_socache_shmcb)
SSLSessionTickets off

SSLStrictSNIVHostCheck on

To get a list of all protocols and ciphers that your webserver supports you can use nmap:
$ nmap --script=ssl-enum-ciphers -Pn -p 443 mailserver.local.example