Merge pull request #117 from gunnarhaslinger/master
authorSebastian <sebix@sebix.at>
Tue, 8 Dec 2015 16:10:39 +0000 (17:10 +0100)
committerSebastian <sebix@sebix.at>
Tue, 8 Dec 2015 16:10:39 +0000 (17:10 +0100)
Correct CipherstringB in Webservers+Mailservers

src/configuration/MailServers/Dovecot/10-ssl.conf
src/configuration/MailServers/Postfix/main.cf
src/configuration/MailServers/cyrus-imapd/imapd.conf
src/configuration/Webservers/Apache/default-ssl
src/configuration/Webservers/Cherokee/cherokee.conf
src/configuration/Webservers/lighttpd/10-ssl-dh.conf
src/configuration/Webservers/lighttpd/10-ssl.conf
src/configuration/Webservers/nginx/default
src/configuration/Webservers/nginx/default-ec
src/configuration/Webservers/nginx/default-hsts
src/practical_settings/webserver.tex

index 6f9a69e..d828972 100644 (file)
@@ -49,7 +49,7 @@ ssl_key = </etc/dovecot/private/dovecot.pem
 ssl_protocols = !SSLv3 !SSLv2
 
 # SSL ciphers to use
-ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+ssl_cipher_list = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 
 # Prefer the server's order of ciphers over client's. (Dovecot >=2.2.6 Required) 
 ssl_prefer_server_ciphers = yes
index 15aede5..cd7b9b0 100644 (file)
@@ -34,7 +34,7 @@ tls_ssl_options = NO_COMPRESSION
 
 smtpd_tls_mandatory_protocols = !SSLv2, !SSLv3
 smtpd_tls_mandatory_ciphers=high
-tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+tls_high_cipherlist=EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 smtpd_tls_eecdh_grade=ultra
 
 smtpd_tls_session_cache_database = btree:${data_directory}/smtpd_scache
index f60586d..12fe2be 100644 (file)
@@ -260,7 +260,7 @@ tls_session_timeout: 1440
 # selects TLSv1 high-security ciphers only, and removes all anonymous ciphers
 # from the list (because they provide no defense against man-in-the-middle
 # attacks).  It also orders the list so that stronger ciphers come first.
-tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+tls_cipher_list: EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 
 # Require a client certificate for ALL services (imap, pop3, lmtp, sieve).
 #tls_require_cert: false
index 2475f22..bbe4ce3 100644 (file)
        # At least use one Backup-Key and/or add whole CA, think of Cert-Updates!
        Header always set Public-Key-Pins "pin-sha256=\"YOUR_HASH=\"; pin-sha256=\"YOUR_BACKUP_HASH=\"; max-age=7776000; report-uri=\"https://YOUR.REPORT.URL\""
 
-       SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA'
+       SSLCipherSuite 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA'
 
        
        
index 9fd94c4..f997782 100644 (file)
@@ -52,7 +52,7 @@ vserver!1!rule!1!match = default
 vserver!1!ssl_certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
 vserver!1!ssl_certificate_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
 vserver!1!ssl_cipher_server_preference = 1
-vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
+vserver!1!ssl_ciphers = EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA
 vserver!1!ssl_compression = 0
 vserver!1!ssl_dh_length = 2048
 
index b1a64d6..3e3d804 100644 (file)
@@ -6,7 +6,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.use-sslv3 = "disable"
        ssl.pemfile = "/etc/lighttpd/server.pem"
 
-       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
     # use group16 dh parameters
        ssl.dh-file = "/etc/lighttpd/ssl/dh4096.pem"
index 4a467fc..72850e6 100644 (file)
@@ -7,7 +7,7 @@ $SERVER["socket"] == "0.0.0.0:443" {
        ssl.pemfile = "/etc/lighttpd/server.pem"
        ssl.ca-file = "/etc/ssl/certs/server.crt"
 
-       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA"
+       ssl.cipher-list = "EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA"
        ssl.honor-cipher-order = "enable"
        setenv.add-response-header  = ( "Strict-Transport-Security" => "max-age=15768000") # six months
        # use this only if all subdomains support HTTPS!
index 088c9c6..c48740d 100644 (file)
@@ -112,7 +112,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index eb172a2..a9c6d19 100644 (file)
@@ -112,7 +112,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index b6745ac..3ab4b61 100644 (file)
@@ -62,7 +62,7 @@ server {
 
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # not possible to do exclusive
-       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA';
+       ssl_ciphers 'EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA256:EECDH:+CAMELLIA128:+AES128:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:!IDEA:!ECDSA:kEDH:CAMELLIA128-SHA:AES128-SHA';
        add_header Strict-Transport-Security max-age=15768000; # six months
        # use this only if all subdomains support HTTPS!
        # add_header Strict-Transport-Security "max-age=15768000; includeSubDomains";
index 0c7ac80..a068626 100644 (file)
@@ -164,7 +164,7 @@ The configuration of the cherokee webserver is performed by an admin interface a
         \item \emph{Required SSL/TLS Values}: Fill in the correct paths for \emph{Certificate} and \emph{Certificate key}
         \item Advanced Options
         \begin{itemize*}
-            \item \emph{Ciphers}: \texttt{EDH+CAMELLIA:EDH+aRSA:EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:\newline EECDH+aRSA+SHA256:EECDH:+CAMELLIA256:+AES256:+CAMELLIA128:+AES128:\newline+SSLv3:!aNULL!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!DSS:!RC4:!SEED:\newline!ECDSA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA}
+            \item \emph{Ciphers}: \ttbox{\cipherStringB}
             \item \emph{Server Preference}: Prefer
             \item \emph{Compression}: Disabled
         \end{itemize*}