* Sat Jan 18 2025 Jean-Philippe Pialasse <jpp@koozali.org> 11.0.0-13.sme

- use esmith::ssl to set ciphers and protocol [SME: 12822] improve cipher order to get strongers first
2025-01-18 16:14:46 -05:00
parent 4ba4af692a
commit 877a1070f0
8 changed files with 20 additions and 31 deletions
--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_ciphers/10ciphers
@@ -1,5 +1,5 @@
 {
-    # When updating CipherSuite both e-smith-apache and smeserver-qpsmtpd templates should be updated.
-    return $uqpsmtpd{tlsCipher} || $modSSL{CipherSuite} || 'ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA256:HIGH@STRENGTH:!SSLv2:!ADH:!aNULL:!MD5:!RC4';
+    use esmith::ssl;
+    return $qpsmtpd{tlsCipher} || $modSSL{CipherSuite} || $smeCiphers;
 }

--- a/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
+++ b/root/etc/e-smith/templates/var/service/uqpsmtpd/config/tls_protocols/10protocols
@@ -1,9 +1,4 @@
 {
-$OUT .= 'SSLv23';
-$OUT .= ':!SSLv2' unless ($uqpsmtpd{SSLv2} || 'disabled') eq 'enabled';
-$OUT .= ':!SSLv3' unless ($uqpsmtpd{SSLv3} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1' unless ($uqpsmtpd{TLSv1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_1' unless ($uqpsmtpd{TLSv1.1} || 'disabled') eq 'enabled';
-$OUT .= ':!TLSv1_2' unless ($uqpsmtpd{TLSv1.2} || 'enabled') eq 'enabled';
-$OUT .= ':!TLSv1_3' unless ($uqpsmtpd{TLSv1.3} || 'enabled') eq 'enabled';
+use esmith::ssl;
+return SSLprotoQpsmtpd("uqpsmtpd");
 }