\todo{not tested}
-\subsubsection{References}
-\begin{itemize*}
- \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
-\end{itemize*}
-
-
\subsubsection{Settings}
\paragraph*{ssl\_cipherspecs}
In the link above the whole SSL-configuration is described in-depth. The following command shows only how to set the recommended ciphersuites.
\end{lstlisting}
+\subsubsection{References}
+\begin{itemize*}
+ \item IMB Db2 Documentation on \emph{Supported cipher suites} \url{http://pic.dhe.ibm.com/infocenter/db2luw/v9r7/index.jsp?topic=\%2Fcom.ibm.db2.luw.admin.sec.doc\%2Fdoc\%2Fc0053544.html}
+\end{itemize*}
+
%% ----------------------------------------------------------------------
\subsection{PostgreSQL}
\end{itemize*}
-\subsubsection{References}
-\begin{itemize*}
- \item It's recommended to read \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY} (please edit the version with your preferred one).
- \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
- \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
-\end{itemize*}
-
-
\subsubsection{Settings}
To start in SSL mode the server.crt and server.key must exist in the server's data directory \$PGDATA.
\end{lstlisting}
+\subsubsection{References}
+\begin{itemize*}
+ \item It's recommended to read \url{http://www.postgresql.org/docs/9.1/interactive/runtime-config-connection.html\#RUNTIME-CONFIG-CONNECTION-SECURITY} (please edit the version with your preferred one).
+ \item PostgreSQL Documentation on \emph{Secure TCP/IP Connections with SSL}: \url{http://www.postgresql.org/docs/9.1/static/ssl-tcp.html}
+ \item PostgreSQL Documentation on \emph{host-based authentication}: \url{http://www.postgresql.org/docs/current/static/auth-pg-hba-conf.html}
+\end{itemize*}
+
+
\subsubsection{How to test}
To test your ssl settings, run psql with the sslmode parameter:
\begin{lstlisting}
\paragraphDiamond{server mode (incoming)}
-
In the main config section of Exim add:
\begin{lstlisting}
There already is a working patch to provide support:
\url{http://bugs.exim.org/show_bug.cgi?id=1397}
-\paragraphDiamond{How to test}
+\subsubsection{How to test}
\begin{lstlisting}
openssl s_client -starttls smtp -crlf -connect SERVER.TLD:25
\end{lstlisting}
As of squid-3.2.7 (01 Feb 2013) there is support for the OpenSSL NO\_Compression option within squid config (CRIME attack) and if you combine that in the config file, with an enforcement of the server cipher preferences (BEAST Attack) you are safe.
-\paragraphDiamond{squid.conf}
-
+\paragraph*{squid.conf}
\todo{UNTESTED!}
\begin{lstlisting}
options=NO_SSLv2,NO_TLSv1,NO_Compression,CIPHER_SERVER_PREFERENCE
cipher=%*\cipherStringB*)
\end{lstlisting}
-\paragraphDiamond{squid.conf}
-
+\paragraph*{squid.conf}
%% http://forum.pfsense.org/index.php?topic=63262.0
-
\todo{UNTESTED!}
\begin{lstlisting}
NO_SSLv2 Disallow the use of SSLv2
BlueCoat Proxy SG Appliances can be used as forward and reverse proxies. The reverse proxy feature is rather under-developed, and while it is possible and supported, there only seems to be limited use of this feature "in the wild" - nonetheless there are a few cipher suites to choose from, when enabling SSL features.
-\paragraph{Only allow TLS 1.0,1.1 and 1.2 protocols:} \mbox{}
-
+\paragraph*{Only allow TLS 1.0,1.1 and 1.2 protocols:}
\begin{lstlisting}
$conf t
$(config)ssl
ok
\end{lstlisting}
-\paragraph*{Select your accepted cipher-suites:} \mbox{}
-
+\paragraph*{Select your accepted cipher-suites:}
\begin{lstlisting}
$conf t
Enter configuration commands, one per line. End with CTRL-Z.
\item Pound 2.6
\end{itemize*}
+\subsubsection{Settings}
\begin{lstlisting}
# HTTP Listener, redirects to HTTPS
ListenHTTP
and \verb|auth| options both take a single argument that must match on
client and server.
-\paragraphDiamond{Server Configuration}
+\paragraph*{Server Configuration}
% the cipherlist here is config B without the ECDHE strings, because
% it must fit in 256 bytes...
% DO NOT CHANGE TO THE CIPHERSTRING MACRO!
auth SHA384
\end{lstlisting}
-\paragraph{Client Configuration}\mbox{}
-
+\paragraphDiamond{Client Configuration}
Client and server have to use compatible configurations, otherwise they can't communicate.
The \verb|cipher| and \verb|auth| directives have to be identical.
\subsubsection{Additional settings}
-\paragraph{Key renegotiation interval}\mbox{}
-
+\paragraphDiamond{Key renegotiation interval}
The default for renegotiation of encryption keys is one hour
(\verb|reneg-sec 3600|). If you
transfer huge amounts of data over your tunnel, you might consider
configuring a shorter interval, or switch to a byte- or packet-based
interval (\verb|reneg-bytes| or \verb|reneg-pkts|).
-\paragraph{Fixing ``easy-rsa''}\mbox{}
-
+\paragraphDiamond{Fixing ``easy-rsa''}
When installing an OpenVPN server instance, you are probably using
\emph{easy-rsa} to generate keys and certificates.
The file \verb|vars| in the easyrsa installation directory has a
\subsubsection{References}
\begin{itemize*}
- \item \url{http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html}\\
+ \item \url{http://www.cisco.com/en/US/docs/security/asa/roadmap/asaroadmap.html}
\item \url{http://www.cisco.com/web/about/security/intelligence/nextgen_crypto.html}
\end{itemize*}