On Fri, Oct 11, 2019 at 02:40:42PM -0600, Warren Young wrote:
On Oct 11, 2019, at 12:12 PM, Jerry Geis jerry.geis@gmail.com wrote:
is there a script that is available that can be ran to bring a box up to current "accepted" levels ?
Bear in mind, there are a number of moving parts here.
- Many different services, besides web servers, can be configured to employ SSL/TLS. LDAP databases, SMTP servers, etc.
- There are different SSL engines in play. Many services use OpenSSL at their core, but Java-based services have their own SSL engine. GnuTLS is another engine in play.
- Services linked to OpenSSL nominally aught to be able to be configured to clamp down as you see fit, but sometimes your service's wrapper of OpenSSL doesn't expose enough of the fine-grained details to accomplish as you want.
For example, I have a legacy Perl-based web service that used an old version of Net::SSLeay that hampered my ability to constrain SSL versions/ciphers.
- Java-based services have config details all over the place. There's a core set of config items for the JVM itself, but your servlet engine will have it's own config files for describing listeners, etc.
Besides things acting as SSL servers on a host, there are any number of things that may act as an SSL _client_. Those need to be considered as well, and there are many vagaries about the semantics within config files.