arodier
commented
4 years ago Thanks for this, it seems to add better security. I was not aware of the RFC, I am still reading the documentation.
Closed fredericmoulins closed 4 years ago
arodier
commented
4 years ago Thanks for this, it seems to add better security. I was not aware of the RFC, I am still reading the documentation.
Address the base part of #253.
Configure Mozilla's Intermediate TLS profile for postfix, dovecot, nginx and ejabberd servers.
Use standard Diffie-Hellman parameters from RFC7919. Remove the possibility to configure DH parameters size less than 2048.
Adapt the isync IMAP client configuration for TLS.
Factor the TLS parameters (ciphers, TLS versions, OCSP stapling, server preferred order) in a
security.tlsobject in the default configuration.The parameter for the DH parameters size could be moved to the
security.tlsobject, but it might be nice to have a task linked to theload_defaultsrole to warn (fail) when someone is not using the new way of configuring it. Kept for later.The Mozilla's Intermediate profile recommends
server_preferred_order: false. It is what is configured here. This is open for discussion.Not tested on buster yet.
More details in each commit description.