It’s been a couple of months since I posted anything, and honestly that’s more down to me being lazy and having nothing worth posting to talk about. But Qualys have updated their SSL Labs to make the use of TLS 1.1 and TLS 1.0 cap the score to a B. This has lead me to once again look at the TLS settings for the various servers that I run. Apache HTTPD is the easiest of server applications that I run to update for this so that’s where I decided to start. Rather than just updating to TLS version 1.2 only it would be nice to use TLS 1.3 as well. However I was mostly running Debian Stretch and out of the box the version of Apache HTTPD included in this release doesn’t support TLS 1.3. Fortunately for me Debian Buster has been out a while, and I have always found Debian upgrades to go smoothly so I decided to run a dist-upgrade, and update the TLS settings on Apache HTTPD.

The Upgrade ran smoothly, the various services all appeared to start up fine, and everything appeared to work. So I played about with the Apache TLS settings and found settings that got me an A+ on the SSL Labs test again. No databases were lost, or locked out, and I had backups should the worst come to pass. However, later that day I noticed I hadn’t had any emails, including the emails I normally get from Linode to say my servers had restarted. So what had I done wrong? Well in my haste I had not read all the release notes, or checked that there were no errors. Postfix was running, so I should be getting emails right? Well maybe, maybe not. It turns out that with Postfix relying on Dovecot to identify users, and Dovecot not accepting secure connections Postfix may or may not have been accepting emails. I don’t actually know, I didn’t check once I’d fixed things and got my emails (including ones that I expected to receive earlier). What was Dovecot’s issue? Well the upgrade had changed some of the settings that were needed, related to TLS settings in no small irony. So I needed to make a quick change to those, but what I also needed was a set of DHParamaters that Dovecot didn’t think were too weak. This was not a fast thing to fix. The command

openssl dhparam 4096

generates a secure set of DHParameters, but takes a long time to run. So having generated those parameters, and put them in a file for Dovecot to read (Twice because I have two mail servers) everything is working again.

At some point I’m going to learn to do these upgrades in a more professional manner, after all it is literally what I get paid to do day to day. Fortunately I do my job properly when I’m getting paid for it, I just hope my employer realises that if they read my blog.

I still need to review the TLS settings for Dovecot (properly this time), Postfix and Stunnel. Postfix is going to be more complicated as it listens on two separate ports that have different requirements. But more on that when I actually do the work (if I have anything worth adding).

posted at 5:27 pm on 15 Mar 2020 by Craig Stewart

Tags:sysadmin ssl fail