PCI Compliance (stretch)

4a9db2bf · Paul Cammish · 5e5f9671 · 4a9db2bf · 4a9db2bf · 4a9db2bf
Commit 4a9db2bf authored Dec 27, 2019 by Paul Cammish
--- a/CHANGELOG
+++ b/CHANGELOG
 CHANGELOG
 ---------

+2019-12-27
+  sympl-mail
+    * Improves default PCI Compliance by disabling TLS 1.0
+  sympl-ftp
+    * Improves default PCI Compliance by disabling TLS 1.0
+
 2019-12-16
  sympl-core
    * Add sympl user to relevant groups on each install.

--- a/ftp/debian/changelog
+++ b/ftp/debian/changelog
+sympl-ftp (9.0.191227.0) stable; urgency=medium
+
+  * Disabled dangerous TLSv1.0 cyphers
+    * Note: The version of pure-ftpd which ships with Debian 9 cannot be made PCI Compliant
+    * Users affected by this should remove or firewall FTP, or upgrade.
+
+ -- Paul Cammish <sympl@kelduum.net>  Fri, 27 Dec 2019 17:27:01 +0000
+
 sympl-ftp (9.0.190624.0) stable; urgency=medium

  * Adjusted configuration to allow www-data

--- a/ftp/debian/postinst
+++ b/ftp/debian/postinst
@@ -62,22 +62,9 @@ if [ -e /etc/ssl/private/pure-ftpd.pem ] ; then
  #
  echo '2' > /etc/pure-ftpd/conf/TLS

-  #
-  # Set the TLS cipher suites
-  #
-  cs="/etc/pure-ftpd/conf/TLSCipherSuite"
-  if [ -f "$cs" ] && \
-    ( echo "9939bfb21f5be996e89b8a9e43bab6ba  $cs" | md5sum -c > /dev/null 2>&1 || \
-      echo "debef44fdd534db09718bd42c34d83af  $cs" | md5sum -c > /dev/null 2>&1 ) ; then
-
-    # OK this is the Debian ciphers, or previously updated ones.
-    echo "I: Updating pure-ftpd cipher suite"
-
-    #
-    # If this list changes, remember to change the md5 in the prerm too.
-    #
-    echo 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS' > $cs
-  fi
+  # Set the TLS cipher suite
+  echo 'HIGH:!TLSv1' > /etc/pure-ftpd/conf/TLSCipherSuite
+
 fi

 #DEBHELPER#

--- a/ftp/debian/postrm
+++ b/ftp/debian/postrm
@@ -9,6 +9,7 @@ if [ "$1" = "purge" ] ; then
  if [ -L /etc/ssl/private/pure-ftpd.pem ]; then
    rm /etc/ssl/private/pure-ftpd.pem
    rm -f /etc/pure-ftpd/conf/TLS
+    echo ":HIGH" > /etc/pure-ftpd/conf/TLSCipherSuite
  fi

  #

--- a/mail/debian/changelog
+++ b/mail/debian/changelog
+sympl-mail (9.0.191227.0) stable; urgency=medium
+
+  * Improved PCI compliance by disabling TLSv1.0
+
+ -- Paul Cammish <sympl@kelduum.net>  Fri, 27 Dec 2019 17:31:17 +0000
+
 sympl-mail (9.0.191004.0) stable; urgency=medium

  * Fixes permissions issue with configs

--- a/mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
+++ b/mail/dovecot/sympl.d/10-main/51-ssl-cipher-list
@@ -6,7 +6,7 @@ ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDH
 #
 # Ban ancient protocols too.
 #
-ssl_protocols = !SSLv3
+ssl_protocols = !SSLv3 !TLSv1

 #
 # Prefer our ciphers

--- a/mail/exim4/sympl.d/00-main/50-tls-options
+++ b/mail/exim4/sympl.d/00-main/50-tls-options
@@ -52,8 +52,9 @@ tls_on_connect_ports = 465
 # removed unless the connecting port is 25, so ancient remote mail servers
 # don't break too badly.
 #
-tls_require_ciphers  = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:PFS:NORMAL:-VERS-SSL3.0:-MD5:-CURVE-SECP192R1:-CURVE-SECP224R1:\
-                       -CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:-CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
+tls_require_ciphers  = %SERVER_PRECEDENCE:%LATEST_RECORD_VERSION:%COMPAT:SECURE128:SECURE192:-VERS-SSL3.0:-VERS-TLS1.0:-MD5:\
+                       -CURVE-SECP192R1:-CURVE-SECP224R1:-CAMELLIA-256-CBC:-CAMELLIA-192-CBC:-CAMELLIA-128-CBC:\
+                       -CAMELLIA-128-GCM:-CAMELLIA-256-GCM\
                       ${if !eq{$received_port}{25}{:-ARCFOUR-128}}

 #

--- a/mail/sympl/test.d/tc_exim4_live.rb
+++ b/mail/sympl/test.d/tc_exim4_live.rb
@@ -23,6 +23,7 @@ class TestEximLive < Test::Unit::TestCase
    @mailbox_crypt.password = @mailbox_crypt_password

    @ssl_ctx = OpenSSL::SSL::SSLContext.new("TLSv1_client")
+    @ssl_ctx.ssl_version = :TLSv1_2
    @ssl_ctx.verify_mode = OpenSSL::SSL::VERIFY_NONE
  end