Thank you Szépe, I tried that last week and it was bad enough to convince me to recompile the whole lot --something I had been procrastinating for a while. It is a Debian with OpenSSL 1.0.1t.
Testing the new code, without TLS-specific settings, I got again logged on the /recent worst/ table as up2.tana.it (of course my certificate doesn't seem to be valid...), but the only serious error I saw is: SSL/TLS compression Yes INSECURE (more info) [(more info)->https://community.qualys.com/blogs/securitylabs/2012/09/14/crime-information-leakage-attack-against-ssltls] I note the TLS_COMPRESSION option has gone away. Are there other TLS options worth trying to remove compression? The other errors (red) and warnings (yellow), which I think I can safely ignore, are: E:IE 6 / XP No FS 1 No SNI 2 Server closed connection E:IE 8 / XP No FS 1 No SNI 2 Server sent fatal alert: handshake_failure W:Forward Secrecy With some browsers (more info) W:Session resumption (caching) No (IDs empty) W:HTTP status code Request failed Did you get better results? Ciao Ale -- On Thu 23/Mar/2017 21:35:44 +0100 SZÉPE Viktor wrote: > > Hello Courier users! > > Up to now I was not aware that Qualys' SSL test could be used on other > ports than 443. > Here is how. > > 1) You spin up an hourly billed VPS (like UpCloud) Probably your 443 > port is already used for production websites. > > 2) Enable IP forwarding > > echo 1 > cat /proc/sys/net/ipv4/ip_forward > > 3) Route all tcp/443 traffic to your Courier installation > > iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT > --to-destination ${COURIER_IP}:465 > > iptables -t nat -A POSTROUTING -p tcp --dst ${COURIER_IP} --dport 465 > -j SNAT --to-source ${TEMPORARY_VPS_IP} > > pre-4) Add an exception in Fail2ban for ${TEMPORARY_VPS_IP} > > 4) Enter the VPS' reverse host name > > https://www.ssllabs.com/ssltest/ > > Of course there will be a CN mismatch but all the rest of Qualys' fine > report will show you all the details. > > > All the best! > > > SZÉPE Viktor > https://github.com/szepeviktor/debian-server-tools/blob/master/CV.md >
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ courier-users mailing list courier-users@lists.sourceforge.net Unsubscribe: https://lists.sourceforge.net/lists/listinfo/courier-users
