Nick Howitt wrote:
What are you trying to achieve? You really also need to check your sources as some of your fixes are old and have been superseded. TLS1.0 and TLS 1.1 should be dead and buried now. Try a document such as https://wiki.mozilla.org/Security/Server_Side_TLS.
I repeat again, in the e-mail stack all you are doing is stopping older clients connecting to you. If they are external and sending mail to you, depending on the sender's configuration, you will no longer receive it or they will fall back to plain text sending. If you want that, go for it. For all the clients you control, you will block any old ones, but that is your choice and you can upgrade any you have. If you don't have any then you have not achieved much as they will automatically negotiate the strongest cipher they can so they wouldn't be using the weak ones.
With respect to apache/httpd, if you use websites configured through the Webconfig, then these have already been hardened (look at /etc/httpd/conf.d/flex-443.conf). They broadly use the intermediate cipher set recommended by Mozilla, but have one or two extra ciphers to allow all browsers in the test at https://www.ssllabs.com/ssltest/analyze.html. Note these values have also been applied to the sandboxed version of httpd used for the webconfig. All you have done is overwritten the default httpd configuration which is never used by ClearOS except to server a default page prior to initialising your default website.
Thanks for your input nmap no longer finds security problems based on changes. And everything seems to work.
I will also disable tls 1 and 1.1 thanks for that I was considering doing it.
If I refuse messages from insecure email servers or clients that is fine