Some words of caution to begin with: Know what you’re doing, if you’re planing to implement HPKP. If you don’t do it right, or “if bad things happen”, which aren’t under your control, you might render your domain unusable. Be sure to test your setup with a domain which isn’t that important, or with a … Read more
Disabling TLS is a system-wide registry setting: https://technet.microsoft.com/en-us/library/dn786418.aspx#BKMK_SchannelTR_TLS10 Key: HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server Value: Enabled Value type: REG_DWORD Value Data: 0 Also, the PCI requirement for disabling early TLS does not go into effect until June 30, 2016. Internet Explorer is one product I know of that has a separate configuration option for the TLS/SSL encryption … Read more
That’s easy, In /etc/postfix/main.cf you will add/change smtpd_tls_security_level=may so that by default TLS is available (but optional). Then, in your /etc/postfix/master.cf you will override it for port 587 (the submission port) by overriding the parameter: submission inet n – n – – smtpd -o smtpd_tls_security_level=encrypt This requires TLS for all submission (port 587) connections. As … Read more
I was following the same guide and had the same issue. It will work if you do the steps to “Tighten up ownership and permissions” listed after the offending ldapmodify command first–namely: sudo adduser openldap ssl-cert sudo chgrp ssl-cert /etc/ssl/private sudo chgrp ssl-cert /etc/ssl/private/ldap01_slapd_key.pem sudo chmod g+X /etc/ssl/private sudo chmod g+r /etc/ssl/private/ldap01_slapd_key.pem and sudo systemctl … Read more
TLS and SSL are closely related technologies. First, email and Opportunistic TLS. ESMTP has the option of performing the actual data transfer portion of the conversation over an encrypted link. This is part of the protocol and has been called TLS for most of its existence. It works roughly like this: -> EHLO foreignmailer.example.com <- … Read more
Add to your main.cf: # TLS Server smtpd_tls_exclude_ciphers = RC4, aNULL # TLS Client smtp_tls_exclude_ciphers = RC4, aNULL
Intrigued by this bug (and yes, I’ve been able to reproduce it) I’ve taken a look at the source code for the latest stable version of mod_ssl and found an explanation. Bear with me, this is gonna get amateur-stack-overflowish: When the SSLProtocol has been parsed, it results in a char looking something like this: 0 … Read more
RHEL does not in fact provide anything that can be used as a ‘certificate directory’ for CA trust purposes. For OpenSSL, a certificate directory – a ‘CApath’ – is a directory containing individual certificate files (in PEM format or OpenSSL’s extended ‘trusted certificate’ format), with names in a specific format based on a hash of … Read more
On March 4, 2013, Red Hat provided updated OpenSSL packages which address this issue. You can receive them through your normal update channels. The original answer was: Red Hat has not provided an updated package which provides this functionality, though there is a workaround available. Edit the /etc/sysconfig/httpd file and add this line to it: … Read more
Do you also have SSL 2.0 enabled? According to http://support.microsoft.com/en-us/kb/2851628 “SSL 2.0 and TLS 1.2 are not compatible with each other in Windows 7 and later operating systems. To use client-side certificates to establish an HTTPS connection over TLS 1.2, you must disable SSL 2.0”.