% This list is based on : http://en.wikipedia.org/wiki/Relational_database_management_system#Market_share
%% ----------------------------------------------------------------------
-\subsubsection{Oracle}
-\begin{description}
-\item[Tested with Version:] not tested
+\subsection{Oracle}
+%\subsubsection{Tested with Version}
+\todo{not tested yet}
-\item[References:] (German)
-{\small \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}}
+\subsubsection{References}
+\begin{itemize}
+ \item Technical safety requirements by \emph{Deutsche Telekom AG} (German). Please read section 17.12 or pages 129 and following (Req 396 and Req 397) about SSL and ciphersuites \url{http://www.telekom.com/static/-/155996/7/technische-sicherheitsanforderungen-si}
+\end{itemize}
-Please read the following pages about SSL and ciphersuites:\\
-p. 129 -Req 396 and Req 397 \\
-
-\end{description}
%% ----------------------------------------------------------------------
+ \subsubsection{SQL Server}
\todo{write this}
-
+
%% ----------------------------------------------------------------------
-\subsubsection{MySQL}
-
-\begin{description}
-\item[Tested with Version:] Debian 7.0 and MySQL 5.5
+\subsection{MySQL}
+\subsubsection{Tested with Version}
+\begin{itemize}
+ \item Debian 7.0 and MySQL 5.5
+\end{itemize}
-\item[Settings:] \mbox{}
-\paragraph*{my.cnf}\mbox{}\\
-
-\begin{lstlisting}[breaklines]
+\subsubsection{Settings}
+\paragraph*{my.cnf}
+\begin{lstlisting}
[mysqld]
ssl
ssl-ca=/etc/mysql/ssl/ca-cert.pem
and \verb|auth| options both take a single argument that must match on
client and server.
-\paragraph{Server Configuration}\mbox{}
+\paragraph{Server Configuration}\mbox{}\\
- % this is only a DoS-protection, out of scope:
- % # TLS Authentication
- % tls-auth ta.key
- \todo{FIXME: we should use the CIPHERSTRINGB macro here}
- % previous:
- % tls-cipher
- % ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-CAMELLIA256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA:AES256-SHA
+
% the cipherlist here is config B without the ECDHE strings, because
% it must fit in 256 bytes...
- \begin{lstlisting}
+ % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
-\begin{lstlisting}[breaklines]
tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
cipher AES-256-CBC
auth SHA384
Client and server have to use compatible configurations, otherwise they can't communicate.
The \verb|cipher| and \verb|auth| directives have to be identical.
-\begin{lstlisting}[breaklines]
+ % the cipherlist here is config B without the ECDHE strings, because
+ % it must fit in 256 bytes...
+ % DO NOT CHANGE TO THE CIPHERSTRING MACRO!
- tls-cipher %*CIPHERSTRINGB*)
+\begin{lstlisting}
+ tls-cipher DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA128-SHA:DHE-RSA-AES128-SHA:CAMELLIA256-SHA:AES256-SHA:CAMELLIA128-SHA:AES128-SHA
cipher AES-256-CBC
auth SHA384