Increase flexshare SSL tests scores - www.ssllabs.com/ssltest

Hi,

I was checking the ssl test scrore that are correct (A) with a certificate from letsencrypt.
To increase to (A+) I had to fix cypher used.
As you know this information is stored (hard coded) within Flexshare.php file.

Here is the change requested with a proposed and coded solution

In order to be more flexible to SSL evolution I've changed Flexshare.php to use SSL option from a new file : /etc/clearos/flexshare-HTTPS-options.conf
If this file do not exists, the hard coded default SSL option is dumped to this file that will look like this :

Allowing user (expert) to change it.

then the content of this file is used to fullfill the virtual host information like this :


Please find the new Flexshare.php :

Please also note that I fixed some "issue" about web share path which is sometimes :

• self::SHARE_PATH . "/$name"
  
• $share['ShareDir']
  

This value shouldn't be different unless user edit /etc/clearos/flexshare.conf
However, because web support share outside of /var/flexshare/shares i've aligned all on : $share['ShareDir']

All this changes are maked with :


Feel free to contact me for any question.
Please not that the best SSL options I've founded and save into /etc/clearos/flexshare-HTTPS-options.conf are :


Where I get A+ Score with :

• Certificate : 100%
  
• Protocol Support : 95%
  
• Key Exchange : 90%
  
• Cipher Strength : 90%
  

Nick is right. I've done this for most (quite all) my flexshare and this is the unique way to make this works for all flexshare options specialy FTP.
If you need only samba you could just edit : /etc/clearos/flexshare.conf
this way

Hi all,

News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.

Tips :

helps you to check if script will expire (or not) within the next 24 hours. So do not ask for renew if not required.
Renew scriopt should be scheduled weekly I suggest due to the short time of the cert.

For OpenVPN I do not think official certificates are required because this is OpenVPN to check the validity of the client certificate. And I don't think letsencrypt provide client certificates or CA.

Servers only, validated by domain name: this excludes client certificates.

Can I use certificates from Let's Encrypt for code signing or email encryption?

No. Email encryption and code signing require a different type of certificate than Let's Encrypt will be issuing.

No other usage than servers.

For email, I guess it could be interesting however, I don't think letsencrypt provide client certificates..

You also should edit /etc/letsencrypt/renewal/<domaine>.conf to raise :

to a little higher value like 15 days.

News from letsencrypt.org : Wildcard Certificates Coming January 2018
Let’s Encrypt will begin issuing wildcard certificates in January of 2018.

So I have to wait until January...

Hi Nick,

You right about flexshare.conf rebuild. But i've edited (I do not provide the info in my previous post that i Edit to add it) the file : /etc/httpd/conf.d/ssl.conf
which defined the whole ssl configuration for the default host. While flexshare define virutal host for <flexshare>.<hostname>.

I've heard of Letsencrypt but i did not try yet.

Most of access to my server if from know person who have to install to root CA once with a 25 years old CA and 10 years old server certificate...

Same issue in ClerOS 7.3 with Softera LDAP browser 4.5
error message : "Cannot contact LDAP Server"

LDAP is however listening


LDAP Browser confirguation is correct : ldaps://10.0.0.142:636/dc=xxx........
Because I don't know how to activate LDAP Logs, I do not have futher information to provide.

Hi,

I installed the Directory Server and tried to connect with Apache Directory Studio. I also get a connect refused. I made sure to use the correct Bind DN and password provided after the installation.

Has anyone else experienced this problem?

It’ very hard to distinguish a capitol i (I) from a lowercase L (l), look at ou=Internal above it or try to read this IllI.
Not impossible but also hard is to copy/paste the password.

Can it be displayed in a “programing font”?
Or is there a way to get it (unhashed) at the command prompt?

DNS Server apps : Data lost when several line in /etc/hosts have the same IP

The bug is on reading /etc/hosts when several line contains the same IP only the last is keep, which leads to data loss.

/etc/hosts before using DNS Server Apps :

if I add :
10.0.0.2 test
using DNS Server App and get :


instead of :


OR



I've lost : 10.0.0.1 hosttest1 ClearOS

I guess this is due to php arrays that do not check that IP entry already exists...

Add wilcard support to DSN Server app

Hi,

As far as I understood DNS Server app is based on dnsmasq.
When using DNS Server and adding DNS enries, the apps just edit /etc/hosts file to add the new entry :

but it does not support wilcard because /etc/hosts does not support wilcard (*).
However dnsmasq does as explain in example configuration file :


So I suggest to map all wilcard mapping to dnsmasq configuration file.
This could quite easyli done by creating /etc/dnsmasq.d/clearos.conf like that :


This will be very usefull for all flexshare defaults web mapping that are : <my flexshare>.<my Hostname>