Home Verkennen Help
Inloggen
yosoyhendrix
/
hestiacp
1
0
Vork 0
Bestanden Issues 0 Pull-aanvragen 0 Wiki
Bladeren bron

Drop support TLS1.1 from dovecot (#2538)

* Drop support TLS1.1 from dovecot

EOL since 2020 any way and should not been used anymore
#2012

* Fix syntax error
Jaap Marcus 3 jaren geleden
bovenliggende
01fc0f4e83
commit
83a18e0ee5
4 gewijzigde bestanden met toevoegingen van 10 en 4 verwijderingen
Zij-aan-zij weergave Toon Diff Stats
  1. 1 2
      install/deb/dovecot/conf.d/10-ssl.conf
  2. 1 1
      install/hst-install-debian.sh
  3. 1 1
      install/hst-install-ubuntu.sh
  4. 7 0
      install/upgrade/versions/1.6.0.sh

+ 1 - 2
install/deb/dovecot/conf.d/10-ssl.conf
Bestand weergeven 

@@ -1,6 +1,5 @@
 
 ssl = yes
 
-# See #2012 for TLSv1.1 to 1.2 upgrade
 
-ssl_min_protocol = TLSv1.1
 
+ssl_min_protocol = TLSv1.2
 
 ssl_prefer_server_ciphers = yes
 
 ssl_cipher_list = ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS

+ 1 - 1
install/hst-install-debian.sh
Bestand weergeven 

@@ -1682,7 +1682,7 @@ if [ "$dovecot" = 'yes' ]; then
 
       echo "[ * ] Downgrade dovecot config to sync with 2.2 settings"	
       sed -i 's|#ssl_dh_parameters_length = 4096|ssl_dh_parameters_length = 4096|g' /etc/dovecot/conf.d/10-ssl.conf
 
       sed -i 's|ssl_dh = </etc/ssl/dhparam.pem|#ssl_dh = </etc/ssl/dhparam.pem|g' /etc/dovecot/conf.d/10-ssl.conf
 
-      sed -i 's|ssl_min_protocol = TLSv1.1|ssl_protocols = !SSLv3 !TLSv1|g' /etc/dovecot/conf.d/10-ssl.conf
 
+      sed -i 's|ssl_min_protocol = TLSv1.2|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|g' /etc/dovecot/conf.d/10-ssl.conf
 
     fi
 
     
     update-rc.d dovecot defaults

+ 1 - 1
install/hst-install-ubuntu.sh
Bestand weergeven 

@@ -1756,7 +1756,7 @@ if [ "$dovecot" = 'yes' ]; then
 
       echo "[ * ] Downgrade dovecot config to sync with 2.2 settings"	
       sed -i 's|#ssl_dh_parameters_length = 4096|ssl_dh_parameters_length = 4096|g' /etc/dovecot/conf.d/10-ssl.conf
 
       sed -i 's|ssl_dh = </etc/ssl/dhparam.pem|#ssl_dh = </etc/ssl/dhparam.pem|g' /etc/dovecot/conf.d/10-ssl.conf
 
-      sed -i 's|ssl_min_protocol = TLSv1.1|ssl_protocols = !SSLv3 !TLSv1|g' /etc/dovecot/conf.d/10-ssl.conf
 
+      sed -i 's|ssl_min_protocol = TLSv1.2|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|g' /etc/dovecot/conf.d/10-ssl.conf
 
     fi
 
     
     update-rc.d dovecot defaults

+ 7 - 0
install/upgrade/versions/1.6.0.sh
Bestand weergeven 

@@ -48,6 +48,13 @@ if [ "$MAIL_SYSTEM" = "exim4" ]; then
 
     fi
 
 fi
 
 
+if [ -f "/etc/dovecot/conf.d/10-ssl.conf" ]; then
 
+    sed -i 's|ssl_min_protocol = TLSv1.1|ssl_min_protocol = TLSv1.2|' /etc/dovecot/conf.d/10-ssl.conf
 
+    if ! grep -q "!TLSv1.1" /etc/dovecot/conf.d/10-ssl.conf; then
 
+        sed -i 's|ssl_protocols = !SSLv3 !TLSv1|ssl_protocols = !SSLv3 !TLSv1 !TLSv1.1|' /etc/dovecot/conf.d/10-ssl.conf
 
+    fi
 
+fi
 
+
 
 # Adding LE autorenew cronjob if there are none
 
 if [ -z "$(grep v-update-lets $HESTIA/data/users/admin/cron.conf)" ]; then
 
 	min=$(generate_password '012345' '2')