\input{"./practical_settings/vpn.tex"}
-\subsection{PGP/ GPG - Pretty Good Privacy}
+\subsection{PGP/GPG - Pretty Good Privacy}
\input{"./practical_settings/GPG.tex"}
\paragraph*{MX and SMTP client configuration}\mbox{}\\
As discussed above, because of opportunistic encryption we do not
-restrict the list of ciphers. There's still some steps needed to
+restrict the list of ciphers. There are still some steps needed to
enable TLS, all in \verb|main.cf|:
\begin{lstlisting}[breaklines]
SSLCipherSuite 'EECDH+aRSA+AESGCM:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EDH+CAMELLIA256:EECDH:EDH+aRSA:+SSLv3:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4:!SEED:!AES128:!CAMELLIA128:!ECDSA:AES256-SHA'
\end{lstlisting}
-Note again, that any cipher suite starting with ECDHE can be omitted in case of doubt.
+Note again, that any cipher suite starting with ECDHE can be omitted, if in doubt.
%% XXX NOTE TO SELF: remove from future automatically generated lists!
\item[Additional settings:]
\item[Additional settings:]
-As for any other webserver, you should redirect automatically http traffic toward httpS://
+As for any other webserver, you should automatically redirect http traffic toward httpS://
\begin{lstlisting}[breaklines]
$HTTP["scheme"] == "http" {
%% XXX FIXME: do we need to specify dhparams? Parameter: ssl_dhparam = file. See: http://wiki.nginx.org/HttpSslModule#ssl_protocols
-It is recommended to specify your own Diffie-Hellman Parameters file of at least the same bit size as your RSA key. Eg. use no less than 2048bit DH parameters with a 2048bit RSA key.
+It is recommended to specify your own Diffie-Hellman Parameters file of at least the same bit size as your RSA key. E.g. use no less than 2048bit DH parameters with a 2048bit RSA key.
\begin{lstlisting}[breaklines]
ssl_dhparam file;
\end{lstlisting}
Since \verb|ECDHE_RSA_*| is not supported, a SSL certificate based on
elliptic curves needs to be used.
-The configuration of cipher suites MS IIS will use can be configured in one
+The configuration of cipher suites MS IIS will use, can be configured in one
of the following ways:
\begin{enumerate}
\item Group Policy \footnote{\url{http://msdn.microsoft.com/en-us/library/windows/desktop/bb870930(v=vs.85).aspx}}
Table~\ref{tab:MS_IIS_Client_Support} shows the process of turning on
-one algorithm after another and the effect on the supported Clients
+one algorithm after another and the effect on the supported clients
tested using https://www.ssllabs.com.
\verb|SSL 3.0|, \verb|SSL 2.0| and \verb|MD5| are turned off.
% \verb|TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA| ... Firefox 10-24, IE 8+, Safari 5, Java 7
-Not supported Clients:
+Clients not supported:
\begin{enumerate}
\item Java 6
\item WinXP
\begin{itemize}
\item Internet-facing services
\item Commonly used services
-\item Devices which are used in business environments (this specifically excludes XBoxes, Playstations and similar consumer devices)
+\item Devices which are used in business environments (this specifically excludes XBoxes, Playstations and similar consumer devices)
\item OpenSSL
\end{itemize}
your system. Supported protocols, cipher suites and more depend on the version of
the SSL library in use. Whenever you upgrade the SSL library, a recompile of all
applications using that library is required to use the newly available features.
-Some features not only require a SSL library supporting it but also the application
+Some features not only require a SSL library supporting it, but also the application
using that feature. An example for that may be Apache supporting elliptic curve
-cryptography only from version 2.4 onwards no matter if OpenSSL supported it or
+cryptography only from version 2.4 onwards, no matter if OpenSSL supported it or
not.
As you may see from the above, creating a secure setup isn't just a matter of
configuration but also depends on several other factors with the most important
being the SSL libraries and their support of protocols and cipher suites.
-Furthermore applications actually need to make use of those.
+Furthermore, applications actually need to make use of those.
-For most configuration snipplets throughout this paper we used OpenSSL's cipher
+For most configuration snippets throughout this paper we used OpenSSL's cipher
strings. Sadly they are different from the official IANA standard names. When you
use a different library like for example GnuTLS (which is quite common on Debian
systems) you might need to change the cipher string. The hex code for a cipher
Browserchecks
\begin{itemize}
-\item Check your browser's ssl capabilities: \url{https://cc.dcsec.uni-hannover.de/} and \url{https://www.ssllabs.com/ssltest/viewMyClient.html}.
+\item Check your browser's SSL capabilities: \url{https://cc.dcsec.uni-hannover.de/} and \url{https://www.ssllabs.com/ssltest/viewMyClient.html}.
\end{itemize}
git.bettercrypto.org / ach-master.git / commitdiff