KiekerJan
1f35158211
use predefined DHE field groups
2021-08-01 23:09:59 +02:00
KiekerJan
87be897d36
update DH security to 4096
2021-08-01 21:52:37 +02:00
Joshua Tauberer
d510c8ae2a
Enable and recommend port 465 for mail submission instead of port 587 ( fixes #1849 )
...
Port 465 with "implicit" (i.e. always-on) TLS is a more secure approach than port 587 with explicit (i.e. optional and only on with STARTTLS). Although we reject credentials on port 587 without STARTTLS, by that point credentials have already been sent.
2021-05-15 16:42:14 -04:00
Michael Kroes
a52c56e571
only set the CN field when generating initial CSR to prevent issues with the php7 ppa version of openssl ( #1223 )
...
OpenSSL 1.1.0f now validates the other subject fields and rejects the empty string (for the country?) because it isn't two characters.
2017-07-30 08:11:39 -04:00
Joshua Tauberer
d53332b7cf
drop the CSR_COUNTRY setting and ask within the control panel
2015-12-26 11:48:23 -05:00
Joshua Tauberer
c422543fdd
make the system SSL certificate a symlink so we never have to replace a certificate file, and flatten the directory structure of user-installed certificates
2015-11-29 02:02:01 +00:00
Joshua Tauberer
bbf78716fd
during setup suppress the status line about generating an SSL certificate if we already have it
2015-11-19 07:00:33 -05:00
Joshua Tauberer
b9820641aa
when generating the initial self-signed cert, dont keep the CSR - it has no use after this step
2015-11-19 07:00:33 -05:00
Joshua Tauberer
e8264e9b6a
ensure /dev/urandom is seeded with a blocking call to /dev/random and using Ubuntu's pollinate servers
2015-11-19 07:00:33 -05:00
Joshua Tauberer
4f2b223070
add comments about how openssl generates random numbers for genrsa and what could create a perfect storm to make the key not random
...
see #596
2015-11-19 07:00:32 -05:00
Joshua Tauberer
73fbcd7fa3
silence all of the installing/already installed package messages on installation
...
Querying dpkg for each package is slow, and we have way too much output on installation because of it.
2015-08-19 15:58:35 -04:00
pierreozoux
f6d4621834
Typo
2015-01-29 17:03:20 +00:00
Joshua Tauberer
5fd107cae5
more work on making the bash scripts readable
2014-10-04 17:57:26 -04:00
Joshua Tauberer
39bca053ed
add 2048 bits of DH params for nginx, postfix, dovecot
...
nginx/postfix use a new pre-generated dh2048.pem file. dovecot generates the bits on its own.
ssllabs.com reports that TLS_DHE ciphers went from 1024 to 2048 bits as expected. The ECDHE ciphers remain at 256 bits --- no idea what that really means. (This tests nginx only. I haven't tested postfix/dovecot.)
see https://discourse.mailinabox.email/t/fips-ready-for-ssl-dhec-key-exchange/76/3
2014-09-26 22:09:22 +00:00
Joshua Tauberer
9d40a12f44
first pass at making readable documentation by parsing the bash scripts
2014-09-21 13:43:31 -04:00
Joshua Tauberer
6e3b04ce83
when generating SSL CSRs, using SHA256 as SHA1 is being phased out, per @konklone
2014-08-23 17:49:33 -04:00
Joshua Tauberer
b30d7ad80a
web-based administrative UI
...
closes #19
2014-08-17 22:46:06 +00:00
Joshua Tauberer
6619239280
the SSL private key would be overwritten if ssl_certificate.pem file was deleted; maybe the cause of #98
2014-07-28 15:38:23 -04:00
Joshua Tauberer
023cd12e1a
hide lots of unnecessary and scary output during setup
2014-07-16 09:36:56 -04:00
h8h
9b887d2e63
Use $STORAGE_ROOT
...
Better to use $STORAGE_ROOT instead of hardcoded /home/user-data/
2014-07-16 15:33:40 +02:00
Joshua Tauberer
fed5959288
s/PUBLIC_HOSTNAME/PRIMARY_HOSTNAME/ throughout
2014-06-30 09:15:36 -04:00
Joshua Tauberer
67d31ed998
move the SSL setup into its own bash script since it is used for much more than email now
2014-06-21 22:16:46 +00:00