Merge branch 'master' of github.com:BetterCrypto/Applied-Crypto-Hardening
[ach-master.git] / src / practical_settings / DBs.tex
index 88baa23..1f0b6a8 100644 (file)
@@ -2,35 +2,31 @@
 % This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
 
 %% ---------------------------------------------------------------------- 
-\subsubsection{Oracle}
-\begin{description}
-\item[Tested with Version:] not tested
+\subsection{Oracle}
+%\subsubsection{Tested with Version}
+\todo{not tested yet}
 
-\item[References:] (German)
-{\small \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
+\subsubsection{References}
+\begin{itemize}
+  \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
+\end{itemize}
 
-Please read the following pages about SSL and ciphersuites:\\
-p. 129 -Req 396 and Req 397 \\
-
-\end{description}
 
 %% ---------------------------------------------------------------------- 
-\subsubsection{SQL Server}
-
-
+\todo{write this}
 
 
 %% ---------------------------------------------------------------------- 
-\subsubsection{MySQL}
-
-\begin{description}
-\item[Tested with Version:] Debian 7.0 and MySQL 5.5
-
-\item[Settings:] \mbox{}
+\subsection{MySQL}
+\subsubsection{Tested with Version}
+\begin{itemize}
+  \item Debian 7.0 and MySQL 5.5
+\end{itemize}
 
-\paragraph*{my.cnf}\mbox{}\\
 
-\begin{lstlisting}[breaklines]
+\subsubsection{Settings}
+\paragraph*{my.cnf}
+\begin{lstlisting}
 [mysqld]
 ssl
 ssl-ca=/etc/mysql/ssl/ca-cert.pem
@@ -39,40 +35,42 @@ ssl-key=/etc/mysql/ssl/client-key.pem
 ssl-cipher=EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA
 \end{lstlisting}
 
-\item[Additional settings:]
+%\subsubsection{Additional settings}
 
 
-\item[Justification for special settings (if needed):]
-
+%\subsubsection{Justification for special settings (if needed)}
 % in case you have the need for further justifications why you chose this and that setting or if the settings do not fit into the standard Variant A or Variant B schema, please document this here
 
-\item[References:]
-{\small \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}}
 
+\subsubsection{References}
+\begin{itemize}
+  \item MySQL Documentation on SSl Connections: \url{https://dev.mysql.com/doc/refman/5.5/en/ssl-connections.html}
+\end{itemize}
 
-\item[How to test:]
 
+\subsubsection{How to test}
 After restarting the server run the following query to see if the ssl settings are correct:
-\begin{lstlisting}[breaklines]
+\begin{lstlisting}
 show variables like '%ssl%';
 \end{lstlisting}
 
 
-\end{description}
-
-
 %% ---------------------------------------------------------------------- 
-\subsubsection{DB2}
-\begin{description}
-\item[Tested with Version:] not tested
+\subsection{DB2}
+\subsubsection{Tested with Version}
+\todo{not tested}
+
 
-\item[References:]
-{\small \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=%2Fcom.ibm.db2.luw.admin.sec.doc%2Fdoc%2Fc0053544.html}}
+\subsubsection{References}
+\begin{itemize}
+  \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
+\end{itemize}
 
 
-\paragraph*{ssl\_cipherspecs}\mbox{}\\
-In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
-\begin{lstlisting}[breaklines]
+\subsubsection{Settings}
+\paragraph*{ssl\_cipherspecs}
+In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites:
+\begin{lstlisting}
 # recommended and supported ciphersuites 
 
 db2 update dbm cfg using SSL_CIPHERSPECS 
@@ -94,53 +92,48 @@ TLS_RSA_WITH_AES_256_CBC_SHA,
 TLS_RSA_WITH_AES_128_CBC_SHA,
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
-
 \end{lstlisting}
 
-\end{description}
 
 %% ---------------------------------------------------------------------- 
+\subsection{PostgreSQL}
+\subsubsection{Tested with Versions}
+\begin{itemize}
+  \item Debian 7.0 and PostgreSQL 9.1
+  \item Linux Mint 14 nadia / Ubuntu 12.10 quantal with PostgreSQL 9.1+136 and OpenSSL 1.0.1c
+\end{itemize}
 
-\subsubsection{PostgreSQL}
-
-\begin{description}
-\item[Tested with Version:] Debian 7.0 and PostgreSQL 9.1
-
-\item[References:]
-
-It's recommended to read 
-
-{\small \url{http://www.postgresql.org/docs/X.X/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}}
-(please change X.X with your preferred version e.g. 9.1).
 
-\item[Settings:] \mbox{}
+\subsubsection{References}
+\begin{itemize}
+  \item It's recommended to read {\small \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY}} (please edit the version with your preferred one).
+  \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
+\end{itemize}
 
 
-To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA. 
+\subsubsection{Settings}
+To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
 
-Starting with version 9.2, you have the possibility to set the path.
+Starting with version 9.2, you have the possibility to set the path manually.
 
-\begin{lstlisting}[breaklines]
+\begin{lstlisting}
 ssl_key_file = '/your/path/server.key'
 ssl_cert_file = '/your/path/server.crt'
 ssl_ca_file = '/your/path/root.crt'
 \end{lstlisting}
 
-\paragraph*{postgresql.conf}\mbox{}\\
 
-\begin{lstlisting}[breaklines]
+\paragraph*{postgresql.conf}\mbox{}\\
+\begin{lstlisting}
 #>=8.3
 ssl = on 
 ssl_ciphers = 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
 \end{lstlisting}
 
 
-
-\item[How to test:]
+\subsubsection{How to test}
 To test your ssl settings, run psql with the sslmode parameter:
-\begin{lstlisting}[breaklines]
+\begin{lstlisting}
 psql "sslmode=require host=postgres-server dbname=database" your-username
 \end{lstlisting}
 
-\end{description}
-