Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in / Register
Toggle navigation
Menu
Open sidebar
Sympl
Sympl
Commits
4a9db2bf
Commit
4a9db2bf
authored
Dec 27, 2019
by
Paul Cammish
Browse files
PCI Compliance (stretch)
parent
5e5f9671
Changes
8
Hide whitespace changes
Inline
Side-by-side
CHANGELOG
View file @
4a9db2bf
CHANGELOG
---------
2019-12-27
sympl-mail
* Improves default PCI Compliance by disabling TLS 1.0
sympl-ftp
* Improves default PCI Compliance by disabling TLS 1.0
2019-12-16
sympl-core
* Add sympl user to relevant groups on each install.
...
...
ftp/debian/changelog
View file @
4a9db2bf
sympl-ftp (9.0.191227.0) stable; urgency=medium
* Disabled dangerous TLSv1.0 cyphers
* Note: The version of pure-ftpd which ships with Debian 9 cannot be made PCI Compliant
* Users affected by this should remove or firewall FTP, or upgrade.
-- Paul Cammish <sympl@kelduum.net> Fri, 27 Dec 2019 17:27:01 +0000
sympl-ftp (9.0.190624.0) stable; urgency=medium
* Adjusted configuration to allow www-data
...
...
ftp/debian/postinst
View file @
4a9db2bf
...
...
@@ -62,22 +62,9 @@ if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
#
echo
'2'
>
/etc/pure-ftpd/conf/TLS
#
# Set the TLS cipher suites
#
cs
=
"/etc/pure-ftpd/conf/TLSCipherSuite"
if
[
-f
"
$cs
"
]
&&
\
(
echo
"9939bfb21f5be996e89b8a9e43bab6ba
$cs
"
|
md5sum
-c
>
/dev/null 2>&1
||
\
echo
"debef44fdd534db09718bd42c34d83af
$cs
"
|
md5sum
-c
>
/dev/null 2>&1
)
;
then
# OK this is the Debian ciphers, or previously updated ones.
echo
"I: Updating pure-ftpd cipher suite"
#
# If this list changes, remember to change the md5 in the prerm too.
#
echo
'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'
>
$cs
fi
# Set the TLS cipher suite
echo
'HIGH:!TLSv1'
>
/etc/pure-ftpd/conf/TLSCipherSuite
fi
#DEBHELPER#
...
...
ftp/debian/postrm
View file @
4a9db2bf
...
...
@@ -9,6 +9,7 @@ if [ "$1" = "purge" ] ; then
if
[
-L
/etc/ssl/private/pure-ftpd.pem
]
;
then
rm
/etc/ssl/private/pure-ftpd.pem
rm
-f
/etc/pure-ftpd/conf/TLS
echo
":HIGH"
>
/etc/pure-ftpd/conf/TLSCipherSuite
fi
#
...
...
mail/debian/changelog
View file @
4a9db2bf
sympl-mail (9.0.191227.0) stable; urgency=medium
* Improved PCI compliance by disabling TLSv1.0
-- Paul Cammish <sympl@kelduum.net> Fri, 27 Dec 2019 17:31:17 +0000
sympl-mail (9.0.191004.0) stable; urgency=medium
* Fixes permissions issue with configs
...
...
mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
View file @
4a9db2bf
...
...
@@ -6,7 +6,7 @@ ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
#
# Ban ancient protocols too.
#
ssl_protocols = !SSLv3
ssl_protocols = !SSLv3
!TLSv1
#
# Prefer our ciphers
...
...
mail/exim4/sympl.d/00-main/50-tls-options
View file @
4a9db2bf
...
...
@@ -52,8 +52,9 @@ tls_on_connect_ports = 465
# removed unless the connecting port is 25, so ancient remote mail servers
# don't break too badly.
#
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-MD5:-CURVE-SECP192R1:-CURVE-SECP224R1:\
-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
tls_require_ciphers = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:SECURE128:SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
-CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
${if !eq{$received_port}{25}{:-ARCFOUR-128}}
#
...
...
mail/sympl/test.d/tc_exim4_live.rb
View file @
4a9db2bf
...
...
@@ -23,6 +23,7 @@ class TestEximLive < Test::Unit::TestCase
@mailbox_crypt
.
password
=
@mailbox_crypt_password
@ssl_ctx
=
OpenSSL
::
SSL
::
SSLContext
.
new
(
"TLSv1_client"
)
@ssl_ctx
.
ssl_version
=
:TLSv1_2
@ssl_ctx
.
verify_mode
=
OpenSSL
::
SSL
::
VERIFY_NONE
end
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment