Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- { config, pkgs, ... }:
- {
- imports =
- [ # Include the results of the hardware scan.
- ./hardware-configuration.nix
- ];
- #############################################################
- # Networking stuff
- #############################################################
- networking.hostName = "exmaple.net"; # Define your hostname.
- networking.dhcpcd.enable = true;
- networking.enableIPv6 = false;
- networking.firewall.allowedTCPPorts = [ 5432 ];
- services.openssh.enable = true;
- # Set your time zone.
- time.timeZone = "Europe/Paris";
- # The NixOS release to be compatible with for stateful data such as databases.
- system.stateVersion = "17.09";
- environment.systemPackages = with pkgs; [ openssl ];
- system.activationScripts.openssl =
- ''
- #${pkgs.openssl}/bin/openssl ecparam -name secp521r1 -genkey -param_enc explicit -out /etc/ssl/pg.key
- #${pkgs.openssl}/bin/openssl req -new -x509 -days 3560 -subj "/C=FR/L=Pompom/O=corp/CN=db.corp.net" -key /etc/ssl/pg.key -out /etc/ssl/pg.cert
- ${pkgs.openssl}/bin/openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout pg.key -out pg.cert -subj "/C=FR/L=Pompom/O=corp/CN=db.corp.net"
- chown postgres /etc/ssl/pg.key /etc/ssl/pg.cert
- chmod 600 /etc/ssl/pg.key /etc/ssl/pg.cert
- '';
- services.postgresql = {
- enable = true;
- enableTCPIP = true;
- package = pkgs.postgresql96;
- dataDir = "/data/postgresql";
- authentication = ''
- local all all ident
- hostssl all all 0.0.0.0/0 md5
- '';
- extraConfig = ''
- ssl = true
- ssl_cert_file = '/etc/ssl/pg.cert'
- ssl_key_file= '/etc/ssl/pg.key'
- ssl_ciphers = 'TLSv1.2'
- ssl_ecdh_curve = 'prime256v1'
- ssl_prefer_server_ciphers = on
- '';
- extraPlugins = [(pkgs.postgis.override { postgresql = pkgs.postgresql96;}).v_2_3_1];
- };
- }
- PGPASSWORD=pass PGHOST=db.corp.net PGUSER=postgres PGSSLMODE=require psql
- psql: SSL error: sslv3 alert handshake failure
- sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 192.168.1.1:5432 --starttls=postgres --hide_rejected_ciphers
- AVAILABLE PLUGINS
- -----------------
- SessionRenegotiationPlugin
- FallbackScsvPlugin
- HeartbleedPlugin
- CompressionPlugin
- OpenSslCipherSuitesPlugin
- CertificateInfoPlugin
- SessionResumptionPlugin
- HttpHeadersPlugin
- OpenSslCcsInjectionPlugin
- CHECKING HOST(S) AVAILABILITY
- -----------------------------
- 192.168.1.1:5432 => 192.168.1.1
- SCAN RESULTS FOR 192.168.1.1:5432 - 192.168.1.1
- -------------------------------------------------
- * SSLV2 Cipher Suites:
- Server rejected all cipher suites.
- * SSLV3 Cipher Suites:
- Server rejected all cipher suites.
- * TLSV1 Cipher Suites:
- Server rejected all cipher suites.
- * TLSV1_1 Cipher Suites:
- Server rejected all cipher suites.
- * TLSV1_2 Cipher Suites:
- Preferred:
- TLS_DH_anon_WITH_AES_256_GCM_SHA384 DH-1024 bits ANONYMOUS
- Accepted:
- TLS_DH_anon_WITH_AES_256_CBC_SHA256 DH-1024 bits ANONYMOUS
- TLS_DH_anon_WITH_AES_256_GCM_SHA384 DH-1024 bits ANONYMOUS
- TLS_DH_anon_WITH_AES_128_CBC_SHA256 DH-1024 bits ANONYMOUS
- TLS_DH_anon_WITH_AES_128_GCM_SHA256 DH-1024 bits ANONYMOUS
- sslyze --sslv2 --sslv3 --tlsv1 --tlsv1_1 --tlsv1_2 192.168.1.1:5432 --starttls=postgres --hide_rej
- ected_ciphers
- AVAILABLE PLUGINS
- -----------------
- SessionRenegotiationPlugin
- FallbackScsvPlugin
- HeartbleedPlugin
- CompressionPlugin
- OpenSslCipherSuitesPlugin
- CertificateInfoPlugin
- SessionResumptionPlugin
- HttpHeadersPlugin
- OpenSslCcsInjectionPlugin
- CHECKING HOST(S) AVAILABILITY
- -----------------------------
- 192.168.1.1:5432 => 192.168.1.1
- SCAN RESULTS FOR 192.168.1.1:5432 - 192.168.1.1
- -----------------------------------------------
- * SSLV2 Cipher Suites:
- Server rejected all cipher suites.
- * SSLV3 Cipher Suites:
- Server rejected all cipher suites.
- * TLSV1 Cipher Suites:
- Preferred:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
- Accepted:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits
- TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits
- TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
- TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits
- TLS_RSA_WITH_RC4_128_SHA - 128 bits
- TLS_RSA_WITH_RC4_128_MD5 - 128 bits
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
- TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits
- TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
- * TLSV1_1 Cipher Suites:
- Preferred:
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
- Accepted:
- TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits
- TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
- TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits
- TLS_RSA_WITH_RC4_128_SHA - 128 bits
- TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits
- TLS_RSA_WITH_RC4_128_MD5 - 128 bits
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits
- TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
- * TLSV1_2 Cipher Suites:
- Preferred:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
- Accepted:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 ECDH-256 bits 256 bits
- TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 DH-1024 bits 256 bits
- TLS_DHE_RSA_WITH_CAMELLIA_256_CBC_SHA DH-1024 bits 256 bits
- TLS_RSA_WITH_AES_256_CBC_SHA256 - 256 bits
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 ECDH-256 bits 256 bits
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA DH-1024 bits 256 bits
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA ECDH-256 bits 256 bits
- TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 DH-1024 bits 256 bits
- TLS_RSA_WITH_AES_256_GCM_SHA384 - 256 bits
- TLS_RSA_WITH_AES_256_CBC_SHA - 256 bits
- TLS_RSA_WITH_CAMELLIA_256_CBC_SHA - 256 bits
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA ECDH-256 bits 128 bits
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 ECDH-256 bits 128 bits
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 ECDH-256 bits 128 bits
- TLS_DHE_RSA_WITH_AES_128_GCM_SHA256 DH-1024 bits 128 bits
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 DH-1024 bits 128 bits
- TLS_DHE_RSA_WITH_AES_128_CBC_SHA DH-1024 bits 128 bits
- TLS_DHE_RSA_WITH_SEED_CBC_SHA DH-1024 bits 128 bits
- TLS_DHE_RSA_WITH_CAMELLIA_128_CBC_SHA DH-1024 bits 128 bits
- TLS_RSA_WITH_CAMELLIA_128_CBC_SHA - 128 bits
- TLS_RSA_WITH_AES_128_CBC_SHA256 - 128 bits
- TLS_RSA_WITH_AES_128_CBC_SHA - 128 bits
- TLS_RSA_WITH_SEED_CBC_SHA - 128 bits
- TLS_RSA_WITH_AES_128_GCM_SHA256 - 128 bits
- TLS_RSA_WITH_RC4_128_SHA - 128 bits
- TLS_ECDHE_RSA_WITH_RC4_128_SHA ECDH-256 bits 128 bits
- TLS_RSA_WITH_RC4_128_MD5 - 128 bits
- TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA ECDH-256 bits 112 bits
- TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA DH-1024 bits 112 bits
- TLS_RSA_WITH_3DES_EDE_CBC_SHA - 112 bits
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
